What is MTA-STS? 

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security protocol designed to help protect transmission between email servers.

It ensures that all emails are sent across safe, encrypted connections using predefined instructions for sending mail servers to use when attempting to communicate with your users. It works by creating a specialized DNS record, encryption key pair and digital signature for your email server that requires all email servers that are sending your organization mail to comply with some fairly standard security requirements in order to allow for delivery.

Any legitimate sender of email will already support these functions (and will have done so for many years), but this kind of protection specifically blocks against two sinister means of assault used by the usual phishers and other malefactors: SMTP Downgrade and Man-in-the-Middle attacks.

How Does MTA-STS Work?

MTA-STS Creation

  • Policy File: The domain owner creates a policy file and hosts it on a HTTPS-enabled web server. This policy specifies the allowed mail servers for the domain, as well as the maximum age the of policy to cache (to avoid having to check on the file every time an email needs to be sent). This policy file requires that mail sent to the mail servers it specifies as authorized adhere to the instructions outlaid therein, such as forcing encryption of all mail.

  • DNS TXT Record: A DNS TXT record is published to signal that the domain supports MTA-STS.

Policy Enforcement

Sending servers check for the DNS record and fetch the published policy file. Following the established file’s instructions, the server then creates a secure TLS connection to deliver mail.

This prevents the possibility of a MITM attack that removes the STARTTLS negotiation all email connections start with in order to make the remainder of the email unencrypted and easier to snoop in transit, since it absolutely requires the sending mail server to negotiate TLS and will not allow for a downgrade into a lower TLS mode, which is the standard behavior for the SMTP protocol otherwise.

Benefits of MTA-STS 

Similarly to installing a deadbolt lock on a door, MTA-STS enhances protection while signaling to bad actors that an organization prioritizes security and that they’ll be a much harder target to attack.

In one stroke, MTA-STS builds onto the security that Transport Layer Security (TLS) already offers by enforcing its requirement for use to prevent SMTP Downgrade Attacks, which forces sending mail servers to send their email payload over an unencrypted connection, as well as Man in the Middle (MITM) attacks where an attacker can alter the content of the message itself before it reaches your mail system.

How MTA-STS Works Together with DMARC

While our comprehensive DMARC solution ensures that emails are sent from approved and secured email servers, MTA-STS protects and encrypts the communication lines between mail servers, especially inbound. This solves for vulnerabilities that DMARC alone does not fully cover– the potential for downgrade attacks and email tampering (MITM). 

DMARC and MTA-STS together contribute to a holistic email security stack, keeping organizations safe from attackers at every stage of the email lifecycle.