Introduction
MTA-STS closes the gap between "TLS is available" and "TLS is required." Before MTA-STS, SMTP TLS was opportunistic — used when available, silently skipped when not. Attackers exploited the silence. MTA-STS makes the requirement explicit and enforceable.
Why this topic matters
DMARC stops spoofing. MTA-STS stops eavesdropping. Both are needed; neither replaces the other. For domains handling sensitive correspondence — invoicing, legal, healthcare — transport security is as important as identity authentication.
The specific attacks MTA-STS closes
STARTTLS stripping. An attacker on the path between sender and receiver removes the STARTTLS capability from the SMTP greeting. The sending server, not seeing TLS available, falls back to plaintext. Attacker reads (or modifies) the message.
Without MTA-STS, this attack works invisibly. With MTA-STS in enforce mode, the sender knows TLS is required and refuses to fall back.
MX hijacking via DNS attack. An attacker compromises DNS and injects a rogue MX record pointing to their server. The sender connects to the attacker. Without policy-pinning, the attacker can accept the mail and forward it (or not).
MTA-STS pins the legitimate MX hosts in its policy file; the rogue MX fails the policy check.
Certificate substitution. Without enforcement, sending servers accept self-signed or mismatched certificates. An attacker presenting a wrong cert succeeds. MTA-STS requires valid certs matching the MX hostnames.
What MTA-STS doesn't address
- Spoofed mail. That's DMARC's job.
- Phishing content. Authentication doesn't validate intent.
- Compromised mailboxes. TLS only protects in transit.
- Endpoint-level attacks. Once mail is at rest, MTA-STS is done.
The combination of DMARC, MTA-STS, and TLS-RPT covers identity, transport, and observability respectively.
Step-by-step approach to gaining the security
- Deploy TLS-RPT first. Visibility before enforcement.
- Verify MX hosts have valid certificates. Most enforcement failures trace to cert issues.
- Publish MTA-STS in testing mode. Failures reported, not blocked.
- Monitor for one week. Fix any failures.
- Move to enforce mode. Now blocking failures.
- Continue monitoring for new sender issues.
Best practices
- Test in testing mode first. Catches misconfigurations.
- Keep
max_agereasonable. 604800 (1 week) is typical. - Use HTTPS hosting with high uptime. Policy fetch failures cause enforcement gaps.
- Document certificate expiry. Cert expiry on MX hosts breaks enforcement.
- Audit MX configuration quarterly. Cert rotation, host changes.
Recommended next step
Verify your MX hosts have valid TLS certificates today. That's the prerequisite. If they do, MTA-STS is a 1-2 hour deployment.
FAQ
What if a sender doesn't support MTA-STS?
They connect normally without checking the policy. MTA-STS only affects supporting senders — which includes the major providers.
Does MTA-STS prevent endpoint-level eavesdropping?
No. It only protects in transit between mail servers.
Can I use MTA-STS without DANE?
Yes. They address overlapping concerns differently; MTA-STS doesn't require DNSSEC.
What if my MX certificate expires?
Enforcement fails for that host. Senders bounce mail. Watch cert expiry calendars.
Do all major providers honour MTA-STS?
Google, Microsoft, Yahoo do reliably. Smaller providers vary.
Final thoughts
MTA-STS converts opportunistic TLS into enforced TLS. The security gain is concrete: a class of in-transit attacks becomes operationally impossible against your domain.
The deployment is bounded and the steady state is light. For domains handling sensitive mail, it's a clear win.