SMTP MTA Strict Transport Security (MTA-STS)
Why You Should Care About MTA-STS
Without MTA-STS, email delivery between servers falls back to plaintext if the TLS connection fails. This is called opportunistic TLS - servers try to use encryption but do not require it. An attacker performing a man-in-the-middle attack can strip TLS from the connection, forcing email to be sent in plaintext where it can be read.
MTA-STS closes this gap by telling sending servers that your mail server requires TLS and has a valid certificate. If a sending server cannot establish a secure TLS connection, it should not deliver the email rather than falling back to plaintext. This prevents TLS stripping attacks.
The protocol requires hosting a policy file on a web server (HTTPS is required), which adds complexity compared to DNS-only solutions. However, it provides genuine protection against email interception that STARTTLS alone cannot. Combined with TLS-RPT for reporting, MTA-STS provides visibility into TLS failures in email delivery.
Settings Overview
| Component | Value |
|---|---|
| DNS record | _mta-sts.example.com TXT "v=STSv1; id=20260215" |
| Policy URL | https://mta-sts.example.com/.well-known/mta-sts.txt |
| Mode: testing | Reports failures without enforcing |
| Mode: enforce | Requires valid TLS for mail delivery |
| max_age | 604800 (1 week) to 31557600 (1 year) |
How to Check
A DNS health checker verifies the _mta-sts TXT record and fetches the policy file from your web server. Verify the policy mode is set to enforce (not testing) and that the mx field lists all your mail servers.
Check DNS Health