What is RFC 8461 (MTA-STS)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Most email encryption is opportunistic. Your server asks the receiving server "can we use TLS?" and if the answer is no, the email goes through unencrypted anyway. That's a problem, because an attacker sitting in the middle can just say "no" on the receiving server's behalf and force your message to travel in plain text. RFC 8461 was written to fix exactly that.
MTA-STS (SMTP MTA Strict Transport Security) lets a domain publish a policy that says "emails to us must travel over encrypted TLS connections, full stop." If a sending server checks that policy and can't establish a valid encrypted connection, it refuses to deliver rather than falling back to plain text. No silent downgrades.
Here's how it actually works. When a sending mail server prepares to deliver email to your domain, it looks for two things. First, a DNS TXT record at _mta-sts.yourdomain.com that signals a policy exists and gives it a version ID. Second, a plain-text policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. That file tells sending servers which mail hosts are valid for your domain and whether the policy is in enforce mode or just testing mode.
A typical policy file looks something like this:
version: STSv1
mode: enforce
mx: mail.yourdomain.com
max_age: 604800
Now once a sending server fetches and caches this policy, it will enforce TLS for all future deliveries to your domain until the policy expires. That's the caching part that makes MTA-STS resilient. Even if an attacker later tries to hijack the DNS lookup, the sending server already knows what your policy says.
MTA-STS is worth pairing with TLS Reporting (RFC 8460), which gives you a channel to receive failure reports when connections to your domain can't meet the policy. Without it, you're flying blind.
It's also worth knowing how MTA-STS differs from DANE. DANE uses DNSSEC-signed records to pin certificates at the DNS level. MTA-STS uses HTTPS to serve the policy file, which means it works without DNSSEC and is easier to set up for most domains. They're solving a similar problem through different mechanisms. MTA-STS has seen wider adoption partly because DNSSEC deployment is still patchy.
You can check whether your domain has a valid MTA-STS setup with our free MTA-STS checker. If something looks off, our SOS hotline is free and we're happy to walk through it with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.