Back to Top

Help & Support

Get instant answers 24/7

Top > Miscellaneous Topics > TLS Encryption Support

Advanced Email Security with MTA-STS

What is the purpose of MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) mandates TLS encryption for SMTP connections, elevating email delivery security for domains that adopt the protocol. Unlike opportunistic TLS, which defaults to unencrypted delivery if TLS isn't available, MTA-STS directs compliant senders to only use encrypted connections, actively preventing data interception and tampering. Effectiveness hinges on the sender's implementation of MTA-STS, with non-compliant senders falling back to the less secure opportunistic TLS.

Does MTA-STS guarantee that all mail will use TLS connections?

It depends on the sender's server. For those that support MTA-STS, TLS encryption will be enforced according to your domain's policy, enhancing the security of email communications. However, if a sender's system does not recognize MTA-STS, emails may default to opportunistic TLS or potentially not use encryption, depending on the sender's configuration.


How do I set up MTA-STS for my domain?

Follow these step-by-step instructions to set up MTA-STS for your domain, using example.com (replace it with your domain and assigned MX records).

Step 1: Publish Your MTA-STS Policy

  1. Create the MTA-STS Policy File: Create a text file named mta-sts.txt with the following content:

Sign in to view what the content of the mta-sts.txt file should be.

  • Replace the MX records with the MX records that are assigned to your domain
    • Replace testing with enforce once you're confident everything is working correctly.
       
  1. Setup the Policy File on your web server: Upload the above mta-sts.txt file to a web server accessible via HTTPS on the mta-sts subdomain:
     
    https://mta-sts.example.com/.well-known/mta-sts.txt
     
    • Replace example.com with your domain name
    • Ensure your server has a valid SSL certificate.

 

Step 2: Publish the MTA-STS DNS Record

Create a DNS TXT record for the _mta-sts.example.com subdomain with the following value:

v=STSv1; id=DateTimeValue

  • The DateTimeValue should be replaced with a number that represents the current date and should be updated whenever the policy is changed. Example value: 20240306

 

Step 3: Set Up TLS-RPT (optional)

To receive reports on TLS issues, create a DNS TXT record for _smtp._tls.example.com:

v=TLSRPTv1; rua=mailto:tls-reports@example.com
- Replace tls-reports@example.com with the email address where you want to receive the reports.

Step 4: Confirm Your Setup

After setting up MTA-STS and optionally TLS-RPT, monitor your reports and check your web server logs to ensure that external servers are fetching your MTA-STS policy. If you're in testing mode, you can switch to enforce mode once you're satisfied with the setup.

Last updated March 29, 2024