SPF, DKIM, and DMARC protect against email spoofing, but they don't protect the email itself during transit. By default, SMTP delivers email in plaintext — any network observer can read the contents. STARTTLS adds encryption, but it's opportunistic and vulnerable to downgrade attacks. MTA-STS (Mail Transfer Agent Strict Transport Security) solves this by telling sending mail servers that your domain requires TLS encryption for email delivery.

The Problem with Opportunistic STARTTLS

STARTTLS upgrades an SMTP connection to TLS, but it has critical weaknesses:

Downgrade attacks: A man-in-the-middle can strip the STARTTLS command from the SMTP handshake, forcing plaintext delivery
No certificate validation: STARTTLS typically accepts any certificate, even self-signed or expired ones
No policy enforcement: The sending server has no way to know if the receiving server should support TLS

In practice, this means a network attacker can read or modify email in transit, even between servers that support encryption.

How MTA-STS Works

MTA-STS uses two components to enforce TLS:

1. DNS TXT Record

A TXT record at _mta-sts.example.com signals that MTA-STS is available and provides a policy version identifier:

_mta-sts.example.com.  TXT  "v=STSv1; id=20260222"

The id field changes whenever the policy is updated, telling sending servers to fetch the new policy.

2. Policy File via HTTPS

The actual policy is served as a text file over HTTPS at:

https://mta-sts.example.com/.well-known/mta-sts.txt

Example policy file:

version: STSv1
mode: enforce
mx: mail.example.com
mx: backup-mail.example.com
max_age: 604800

Policy Fields

version: Always "STSv1"
mode: "testing" (report only), "enforce" (require TLS), or "none" (disable MTA-STS)
mx: Authorized mail server hostnames (must match MX records). Wildcards supported.
max_age: How long (in seconds) the policy should be cached by sending servers

Implementing MTA-STS

Step 1: Verify TLS on Your Mail Servers

Before enabling MTA-STS, confirm that your MX servers support TLS with valid certificates:

# Test TLS connection to your mail server
openssl s_client -starttls smtp -connect mail.example.com:25

Step 2: Create the MTA-STS Policy File

version: STSv1
mode: testing
mx: mail.example.com
mx: *.example.com
max_age: 86400

Start with mode: testing to receive reports without blocking email delivery.

Step 3: Host the Policy File

The file must be served at https://mta-sts.example.com/.well-known/mta-sts.txt with:

Valid HTTPS certificate for mta-sts.example.com
Content-Type: text/plain
Accessible without authentication

Step 4: Add the DNS TXT Record

_mta-sts.example.com.  TXT  "v=STSv1; id=20260222001"

Step 5: Set Up TLS-RPT (Reporting)

TLS-RPT (RFC 8460) provides reports on MTA-STS policy application. Add a DNS record:

_smtp._tls.example.com.  TXT  "v=TLSRPTv1; rua=mailto:tls-reports@example.com"

Sending servers will email daily aggregate reports about TLS connection successes and failures.

Step 6: Switch to Enforce Mode

After monitoring reports in testing mode and confirming no issues:

version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800

Update the DNS TXT record ID to trigger policy refresh:

_mta-sts.example.com.  TXT  "v=STSv1; id=20260222002"

Hosting MTA-STS on Popular Platforms

Google Workspace

If you use Google Workspace for email, your MX records point to Google's servers:

version: STSv1
mode: enforce
mx: aspmx.l.google.com
mx: *.aspmx.l.google.com
mx: *.googlemail.com
max_age: 604800

Microsoft 365

version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800

MTA-STS vs DANE

MTA-STS uses HTTPS to serve the policy. Works without DNSSEC. Simpler to deploy.
DANE/TLSA uses DNS records (secured by DNSSEC) to pin certificates. Stronger guarantees but requires DNSSEC infrastructure.

For most organizations, MTA-STS is easier to deploy and provides sufficient protection against SMTP downgrade attacks.

MTA-STS Checklist

Verify TLS is working on all your MX servers with valid certificates
Create the MTA-STS policy file with mode: testing
Host the policy at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
Add the _mta-sts DNS TXT record
Set up TLS-RPT for monitoring reports
Monitor reports for TLS connection failures
Switch to mode: enforce after confirming no issues
Run a SecScanner scan to verify MTA-STS configuration

MTA-STS closes a critical gap in email security. While SPF, DKIM, and DMARC prevent spoofing, MTA-STS ensures the email content itself is encrypted in transit — protecting sensitive communications from interception.

The Problem with Opportunistic STARTTLS

STARTTLS upgrades an SMTP connection to TLS, but it has critical weaknesses:

Downgrade attacks: A man-in-the-middle can strip the STARTTLS command from the SMTP handshake, forcing plaintext delivery
No certificate validation: STARTTLS typically accepts any certificate, even self-signed or expired ones
No policy enforcement: The sending server has no way to know if the receiving server should support TLS

In practice, this means a network attacker can read or modify email in transit, even between servers that support encryption.

How MTA-STS Works

MTA-STS uses two components to enforce TLS:

1. DNS TXT Record

A TXT record at _mta-sts.example.com signals that MTA-STS is available and provides a policy version identifier:

_mta-sts.example.com.  TXT  "v=STSv1; id=20260222"

The id field changes whenever the policy is updated, telling sending servers to fetch the new policy.

2. Policy File via HTTPS

The actual policy is served as a text file over HTTPS at:

https://mta-sts.example.com/.well-known/mta-sts.txt

Example policy file:

version: STSv1
mode: enforce
mx: mail.example.com
mx: backup-mail.example.com
max_age: 604800

Policy Fields

version: Always "STSv1"
mode: "testing" (report only), "enforce" (require TLS), or "none" (disable MTA-STS)
mx: Authorized mail server hostnames (must match MX records). Wildcards supported.
max_age: How long (in seconds) the policy should be cached by sending servers

Implementing MTA-STS

Step 1: Verify TLS on Your Mail Servers

Before enabling MTA-STS, confirm that your MX servers support TLS with valid certificates:

# Test TLS connection to your mail server
openssl s_client -starttls smtp -connect mail.example.com:25

Step 2: Create the MTA-STS Policy File

version: STSv1
mode: testing
mx: mail.example.com
mx: *.example.com
max_age: 86400

Start with mode: testing to receive reports without blocking email delivery.

Step 3: Host the Policy File

The file must be served at https://mta-sts.example.com/.well-known/mta-sts.txt with:

Valid HTTPS certificate for mta-sts.example.com
Content-Type: text/plain
Accessible without authentication

Step 4: Add the DNS TXT Record

_mta-sts.example.com.  TXT  "v=STSv1; id=20260222001"

Step 5: Set Up TLS-RPT (Reporting)

TLS-RPT (RFC 8460) provides reports on MTA-STS policy application. Add a DNS record:

_smtp._tls.example.com.  TXT  "v=TLSRPTv1; rua=mailto:tls-reports@example.com"

Sending servers will email daily aggregate reports about TLS connection successes and failures.

Step 6: Switch to Enforce Mode

After monitoring reports in testing mode and confirming no issues:

version: STSv1
mode: enforce
mx: mail.example.com
max_age: 604800

Update the DNS TXT record ID to trigger policy refresh:

_mta-sts.example.com.  TXT  "v=STSv1; id=20260222002"

Hosting MTA-STS on Popular Platforms

Google Workspace

If you use Google Workspace for email, your MX records point to Google's servers:

version: STSv1
mode: enforce
mx: aspmx.l.google.com
mx: *.aspmx.l.google.com
mx: *.googlemail.com
max_age: 604800

Microsoft 365

version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
max_age: 604800

MTA-STS vs DANE

MTA-STS uses HTTPS to serve the policy. Works without DNSSEC. Simpler to deploy.
DANE/TLSA uses DNS records (secured by DNSSEC) to pin certificates. Stronger guarantees but requires DNSSEC infrastructure.

For most organizations, MTA-STS is easier to deploy and provides sufficient protection against SMTP downgrade attacks.

MTA-STS Checklist

Verify TLS is working on all your MX servers with valid certificates
Create the MTA-STS policy file with mode: testing
Host the policy at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
Add the _mta-sts DNS TXT record
Set up TLS-RPT for monitoring reports
Monitor reports for TLS connection failures
Switch to mode: enforce after confirming no issues
Run a SecScanner scan to verify MTA-STS configuration

The Problem with Opportunistic STARTTLS

How MTA-STS Works

1. DNS TXT Record

2. Policy File via HTTPS

Policy Fields

Implementing MTA-STS

Step 1: Verify TLS on Your Mail Servers

Step 2: Create the MTA-STS Policy File

Step 3: Host the Policy File

Step 4: Add the DNS TXT Record

Step 5: Set Up TLS-RPT (Reporting)

Step 6: Switch to Enforce Mode

Hosting MTA-STS on Popular Platforms

Google Workspace

Microsoft 365

MTA-STS vs DANE

MTA-STS Checklist

Related Articles

Email Security with SPF, DKIM, and DMARC: A Complete Guide

DNSSEC Explained: Protect Your Domain from DNS Spoofing Attacks

CAA DNS Records: Control Who Can Issue Certificates for Your Domain

Check Your Website Security

The Problem with Opportunistic STARTTLS

How MTA-STS Works

1. DNS TXT Record

2. Policy File via HTTPS

Policy Fields

Implementing MTA-STS

Step 1: Verify TLS on Your Mail Servers

Step 2: Create the MTA-STS Policy File

Step 3: Host the Policy File

Step 4: Add the DNS TXT Record

Step 5: Set Up TLS-RPT (Reporting)

Step 6: Switch to Enforce Mode

Hosting MTA-STS on Popular Platforms

Google Workspace

Microsoft 365

MTA-STS vs DANE

MTA-STS Checklist

Related Articles

Email Security with SPF, DKIM, and DMARC: A Complete Guide

DNSSEC Explained: Protect Your Domain from DNS Spoofing Attacks

CAA DNS Records: Control Who Can Issue Certificates for Your Domain

Check Your Website Security