What is MTA-STS-TLS

MTA-STS-TLS is a security protocol that enables email servers to enforce Transport Layer Security (TLS) encryption and certificate validation when sending emails to other servers that support the protocol.

What is MTA-STS-TLS?

MTA-STS-TLS is a security protocol that enables email servers to enforce Transport Layer Security (TLS) encryption and certificate validation when sending emails to other servers that support the protocol. MTA-STS-TLS stands for Mail Transfer Agent Strict Transport Security over TLS, and it is defined in RFC 8461.

How does MTA-STS-TLS work?

MTA-STS-TLS works by allowing email servers to publish a policy that specifies how other servers should connect to them. The policy includes the following information:

  • The duration of the policy's validity
  • Whether TLS encryption is required or optional
  • Whether the server's certificate must match the domain name or be signed by a trusted authority
  • How to report any connection failures or policy violations

The policy is published in two ways: as a DNS TXT record and as a file hosted on a web server. The DNS TXT record contains a pointer to the web server where the policy file is located. The policy file is named .well-known/mta-sts.txt and it is formatted as a plain text file with key-value pairs.

When an email server wants to send an email to another server that supports MTA-STS-TLS, it first queries the DNS TXT record of the recipient domain to check if there is a policy available. If there is, it then fetches the policy file from the web server and follows the instructions in the policy. If the policy requires TLS encryption and certificate validation, the email server will only deliver the email if it can establish a secure and authenticated connection with the recipient server. If the policy is optional, the email server will try to use TLS encryption and certificate validation, but it will fall back to a plain text connection if it fails. If the policy is not available or expired, the email server will use its default settings for email delivery.


Why is MTA-STS-TLS important?

MTA-STS-TLS is important because it enhances the security and privacy of email communication. By enforcing TLS encryption and certificate validation, MTA-STS-TLS prevents attackers from intercepting, modifying, or spoofing emails in transit. This reduces the risk of phishing, malware, spam, and identity theft. MTA-STS-TLS also helps email servers to comply with the security standards and regulations of their industry or region.

What are the limitations of MTA-STS-TLS?

MTA-STS-TLS has some limitations that email servers and users should be aware of. Some of them are:

  • MTA-STS-TLS only applies to the connection between email servers, not between email clients and servers. Therefore, email clients and users still need to use other security measures, such as end-to-end encryption, to protect their emails from unauthorized access or tampering.
  • MTA-STS-TLS relies on the availability and integrity of the DNS and web servers that host the policy. If these servers are compromised, offline, or misconfigured, the policy may not be accessible or accurate, and the email delivery may be affected.
  • MTA-STS-TLS does not prevent email servers from accepting or sending emails that do not comply with the policy. For example, an email server may accept an email from a sender that does not use TLS encryption or certificate validation, or it may send an email to a recipient that does not support MTA-STS-TLS. Therefore, email servers and users still need to use other security mechanisms, such as SPF, DKIM, and DMARC, to verify the identity and authenticity of the email senders and recipients.

Purpose of MTA-STS:

  • The SMTP protocol, historically, lacked robust security measures. While Transport Layer Security (TLS) was introduced to encrypt SMTP communications, it remained optional and vulnerable to DNS tampering.
  • MTA-STS ensures that TLS is always used and provides a mechanism for sending servers to refuse delivery to servers lacking TLS support or trusted certificates.
  • Developed by industry companies in collaboration with the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG), MTA-STS aims to bolster email security.

Testing vs. Enforce:

  • Testing Mode: When MTA-STS is in testing mode, it validates connections but doesn’t enforce strict TLS requirements. Email delivery occurs even if the recipient domain doesn’t support MTA-STS. This mode helps identify issues without disrupting email flow.
  • Enforce Mode: In enforce mode, MTA-STS strictly adheres to TLS requirements. If a recipient domain supports MTA-STS and the sender doesn’t, email delivery is refused. It ensures robust security but requires careful configuration and testing before enabling.

MTA-STS max-age Settings:

The max_age directive in MTA-STS policy specifies the maximum lifetime of the policy in seconds. Here are some key points about it:

  • Accepted Values: Any positive integer up to 31,557,600 seconds (which is equivalent to one year).
  • Example: You can set max_age to 604,800 seconds (which is one week).

The purpose of max_age is to determine how long servers should cache your MTA-STS policy before checking for a new one. Google, for instance, processes policies with a max_age higher than 86,400 seconds (one day). The maximum value for max_age is 31,557,600 seconds.

Choosing an appropriate max_age value is crucial. Here are some considerations:

  1. Shorter max_age:

    • Allows easier removal or changes of MTA-STS if interoperability issues arise.
    • Useful for large integrators that may not yet support MTA-STS but plan to in the future.
  2. Longer max_age:

    • Reduces the frequency of policy checks.
    • Provides better performance by minimizing the need for frequent policy updates.
    • However, it also means that any necessary policy changes take longer to propagate.

How does MTA-STS-TLS work with DMARC?

MTA-STS-TLS and DMARC complement each other in enhancing the security and privacy of email communication. MTA-STS-TLS protects the connection between email servers from interception and modification, while DMARC protects the content and header of the email from spoofing and phishing. By using both protocols, email servers and users can achieve a higher level of trust and confidence in their email communication.

Need Help?

support@sendmarc.com is standing by to assist!