Message Transfer Agent – Strict Transport Security (MTA-STS) adds an additional layer of security by requiring authentication checks and encryption for email sent to your domain. Specifically, mail services which use this mechanism will be able to create secure SMTP (using TLS) connections with other email servers. MTA-STS can also be used to refuse delivery of messages to mail servers that do not offer TLS with a trusted server certificate.

Since this mechanism is invoking the usage of TLS, TLS Reporting (TLS-RPT) is utilized to determine whether or not a secure connection was established. These reports will come from external servers that make connections to your domain.

email sending

What it Protects

MTA-STS protects against the follow threats:

  • Man-in-the-Middle attacks – this occurs when an attacker intercepts messages between two email servers. The goal is to steal or alter the data, and then send it to the recipient.
  • Downgrade attacks – this occurs when the attacker forces the communication to change to an insecure mode (no longer using TLS).
  • DNS spoofing attacks – this type of attack changes the DNS record of the intended destination, thus tricking the user into thinking that they are visiting a legitimate site or domain.

To learn more about MTA-STS and other email security protocols, check out the resource page from our DMARC Bootcamp – five weeks of free online technical training focused on what DMARC is and how to implement it, including the basics of SPF and DKIM and options of performing DKIM key generation and signing, as well as other email security protocols to better protect your organization. All sessions are recorded and available for anyone to view.