CyAlly Advisories and Publications

What is MTA-STS

Written by CyAlly Advisory Team | Oct 20, 2023 3:47:36 PM

Increase email security by turning on MTA Strict Transport Security (MTA-STS) for your domain. MTA-STS improves email security by requiring authentication checks and encryption for email sent to your domain. Use Transport Layer Security (TLS) reporting to get information about external server connections to your domain.

Like all mail providers, email uses Simple Mail Transfer Protocol (SMTP) to send and receive messages. SMTP alone does not provide security, and many SMTP servers don’t have added security to prevent malicious attacks.

For example, SMTP is vulnerable to man-in-the-middle attacks. Man-in-the-middle is an attack where communication between two servers is intercepted and possibly changed without detection. Using MTA-STS to secure mail server connections helps prevent these types of attacks.

Learn more about MTA-STS (RFC 8461) and TLS Reporting (RFC 8460)

MTA-STS email security

SMTP connections for email are more secure when the sending server supports MTA-STS and the receiving server has an MTA-STS policy in enforced mode.

Receiving mail: When you turn on MTA-STS for your domain, you request external mail servers to send messages to your domain only when the SMTP connection is both:

  • Authenticated with a valid public certificate
  • Encrypted with TLS 1.2 or higher

Mail servers that support MTA-STS will send messages to your domain only over connections that have both authentication and encryption.

Sending mail: Email messages from your domain comply with MTA-STS when sent to external servers with an MTA-STS policy in enforced mode.

TLS reporting

When you turn on TLS reporting, you request daily reports from external mail servers that connect to your domain. The reports have information about any connection problems the external servers find when sending mail to your domain. Use report data to identify and fix security issues with your mail server.