MTA-STS (Mail Transfer Agent Strict Transport Security) mandates TLS encryption for SMTP connections, elevating email delivery security for domains that adopt the protocol. Unlike opportunistic TLS, which defaults to unencrypted delivery if TLS isn't available, MTA-STS directs compliant senders to only use encrypted connections, actively preventing data interception and tampering. Effectiveness hinges on the sender's implementation of MTA-STS, with non-compliant senders falling back to the less secure opportunistic TLS.
Does MTA-STS guarantee that all mail will use TLS connections?
It depends on the sender's server. For those that support MTA-STS, TLS encryption will be enforced according to your domain's policy, enhancing the security of email communications. However, if a sender's system does not recognize MTA-STS, emails may default to opportunistic TLS or potentially not use encryption, depending on the sender's configuration.
Follow these step-by-step instructions to set up MTA-STS for your domain, using example.com
(replace it with your domain and assigned MX records).
mta-sts.txt
with the following content: Sign in to view what the content of the mta-sts.txt
file should be.
testing
with enforce
once you're confident everything is working correctly.mta-sts.txt
file to a web server accessible via HTTPS on the mta-sts
subdomain:example.com
with your domain name
Create a DNS TXT record for the _mta-sts.example.com
subdomain with the following value:
v=STSv1; id=DateTimeValue
DateTimeValue
should be replaced with a number that represents the current date and should be updated whenever the policy is changed. Example value: 20240306
To receive reports on TLS issues, create a DNS TXT record for _smtp._tls.example.com
:
v=TLSRPTv1; rua=mailto:tls-reports@example.com
tls-reports@example.com
with the email address where you want to receive the reports.
After setting up MTA-STS and optionally TLS-RPT, monitor your reports and check your web server logs to ensure that external servers are fetching your MTA-STS policy. If you're in testing
mode, you can switch to enforce
mode once you're satisfied with the setup.