MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) is the email equivalent of HSTS. It tells other mail servers: "When you deliver mail to my domain, you MUST use TLS, and you MUST validate my certificate against this list of MX hosts."

Without MTA-STS, SMTP TLS is opportunistic. A network attacker can strip the STARTTLS upgrade and force the connection to plain text. The sender goes along with it because plain SMTP is the fallback. MTA-STS removes the fallback.

How it works

1. You publish a DNS TXT record at _mta-sts.yourdomain.com:

_mta-sts.yourdomain.com. IN TXT "v=STSv1; id=20260101000000"

2. You host a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:

version: STSv1
mode: enforce
mx: mail.yourdomain.com
mx: *.yourdomain.com
max_age: 86400

3. Sending servers (Gmail, Outlook, etc.) fetch the policy, cache it for max_age seconds, and refuse to deliver mail in plain text or to MX hosts not in the list.

The three modes

• none — turn off MTA-STS for this domain.
• testing — collect TLS-RPT reports of what would fail, don't actually reject.
• enforce — reject delivery when TLS isn't usable.

Start with testing for a few weeks, watch the TLS-RPT reports, then flip to enforce.

DNSSEC alternative: DANE

DANE (DNS-based Authentication of Named Entities) achieves a similar outcome via DNSSEC-signed TLSA records. The trade-off:

• DANE is more flexible but requires DNSSEC on your domain.
• MTA-STS doesn't require DNSSEC, just HTTPS at mta-sts.yourdomain.com.

Gmail honors MTA-STS but not DANE. Outlook honors both. If your audience skews Gmail-heavy, MTA-STS is the practical pick.

When this matters

If you send any sensitive email (password resets, account verifications, financial confirmations) and any of your recipients use mail clients that support MTA-STS, you should publish a policy. Cost is low: one TXT record, one HTTPS endpoint serving a static file. Payoff is closing the SMTP TLS-downgrade attack vector.