MTA-STS: Elevating organizations' email security strategies

Email can be a weak spot for businesses, as it’s often targeted by cyberthreats like Man-in-the-Middle (MitM) and Simple Mail Transfer Protocol (SMTP) downgrade attacks. Luckily, strong email security methods like Mail Transfer Agent Strict Transport Security (MTA-STS) can help protect against these risks.

Learn how the protocol works and why it’s important for safe email communication.

MTA-STS protocols & commands

• SMTP: This is the basic protocol for sending emails over the internet. SMTP handles the transmission of emails between servers, enabling messages to move from the sender’s email server to the recipient’s email server. While it’s essential for email delivery, it doesn’t have built-in security features, which makes emails vulnerable to interception.?
• Domain Name System (DNS): DNS helps transform domain names into IP addresses that computers use to identify each other on the network. It stores TXT records that contain information about a domain, such as the policies for MTA-STS, Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).
• Transport Layer Security (TLS): TLS is important because it encrypts data sent via the internet to prevent others from reading it. TLS also secures web browsing and messaging, making it a key part of online safety.?
• STARTTLS: SMTP starts unencrypted. The STARTTLS command communicates to email servers that the email client wants to upgrade an insecure connection to a secure one using TLS.?

Explaining MTA-STS

What is MTA-STS?

MTA-STS is a security protocol that, with the correct policy, increases the chance of emails sent over SMTP being encrypted using TLS. This helps prevent attackers from downgrading the connection to an unencrypted one, which is a risk with STARTTLS alone. By enforcing strong encryption, MTA-STS protects against common threats that would allow an attacker to read or manipulate email in transit, helping to keep emails secure during transmission.

How does it work?

MTA-STS is a way for domain owners to publish a policy that instructs SMTP servers that communication with this domain must be encrypted. It includes information like:

• How long the policy is valid for
• If using TLS encryption is required or optional
• How to report connection issues

The policy is shared in two ways: as a DNS TXT record and as a file on a web server. When one email server wants to send a message to another that uses MTA-STS, it first checks the recipient’s DNS TXT record for a policy. If found, it fetches the policy from the web server and follows the rules.

Testing vs. enforce mode

• Testing mode: When MTA-STS is in testing mode, it validates connections but doesn’t enforce strict TLS requirements. Emails can still be delivered even if the recipient’s domain doesn’t use MTA-STS. The sender will report the failure over SMTP TLS reporting if enabled.
• Enforce mode: In enforce mode, MTA-STS strictly follows TLS requirements. If the senders don’t use TLS when communicating with this domain, the email won’t be delivered. This ensures strong security but needs to be set up and tested carefully before enabling.

It’s usually a good idea to enforce the policy, but we suggest beginning with testing mode first. This allows you to analyze TLS Reports (TLS-RPT) to see how MTA-STS is working before moving to enforcement. This way, organizations can check how MTA-STS performs and fix any problems before fully enforcing the policy.

Implementing MTA-STS strengthens email security by ensuring encrypted delivery and preventing attackers from intercepting messages. But what makes MTA-STS so effective, and how does it benefit your organization?

Discover the key features of MTA-STS and the benefits it brings to email security in our full article here.