Contenido de la página
Key takeaway:
Mail Transfer Agent Strict Transport Security (MTA-STS) is a modern email security standard that helps ensure messages sent to your organization’s domain are transmitted over encrypted channels. By enforcing Transport Layer Security (TLS), the standard protects against interception, tampering, and downgrade attacks.
MTA-STS is a security standard that, with the correct policy, instructs sending email servers to deliver messages only if a secure, encrypted TLS connection can be established with your business’s domain. If encryption fails, the message isn’t delivered – preventing it from being sent in plaintext and exposed to cyberthreats.
Why is it important?
The standard uses a DNS TXT record and a web server to publish and enforce your organization’s email security policy.
Here’s how the process works:
This closes security gaps found in older methods like STARTTLS, which could be downgraded or intercepted by cybercriminals.
Want to implement the standard properly? Book a demo with Sendmarc to find out how we streamline setup and ensure full compliance with email security best practices.
To successfully implement the standard, your business needs the following:
The DNS record is a TXT record published on a domain. This record tells email servers that your company’s domain supports the standard and where to find the policy file.
Host | Tipo | Valor |
---|---|---|
_mta-sts.yourdomain.com | TXT | v=STSv1; id=20250502T1314 |
v=STSv1
: Indicates the version of the standardid=
: A unique identifier that should change whenever the policy file is updatedYour organization’s policy file is a plain text document. This file contains the following required fields:
version
: The policy versionmode
: Can be enforce, testing, or nonemx
: One or more authorized Mail Exchange (MX) recordsmax_age
: The number of seconds sending servers can cache the policyversion
: STSv1mode
: enforcemx
: mail.yourdomain.commax_age
: 604 800Write your business’s policy using the recommended format and values.
Place the file at the necessary location. Ensure the web server supports HTTPS and is publicly accessible.
Add the TXT record to announce your company’s policy.
Enable TLS Reporting (TLS-RPT) to receive feedback about email delivery issues. Use this data to troubleshoot problems and update your organization’s policy as needed.
Want expert help setting up the standard? Book a demo with Sendmarc to simplify setup and ensure your business’s domain is fully protected.
Regularly checking your company’s setup ensures that its domain remains protected and compliant.
Use these key checkpoints:
When implementing the standard, your organization can choose how to host the policy file.
Email remains one of the most targeted communication channels by cybercriminals.
Implementing the standard strengthens domains by:
The MTA-STS DNS record is a TXT record. This record signals that your business supports the standard and directs email servers to the location of its security policy file.
MTA-STS works alongside Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to create a comprehensive email security strategy.
While SPF, DKIM, and DMARC authenticate the sender and protect against spoofing, MTA-STS secures the transport layer by enforcing encryption during email delivery.
The key components of the standard include a valid DNS TXT record, an HTTPS-hosted policy file, trusted TLS certificates for email servers, and the use of TLS-RPT for monitoring delivery issues.
MTA-STS offers three policy modes:
enforce
: Emails are only delivered if a secure TLS connection can be established.testing
: Reports issues but allows delivery even if TLS can’t be established.none
: No policy is enforced; the standard is effectively inactive.Sendmarc simplifies MTA-STS implementation by offering hosted solutions, expert guidance, automated monitoring, and integration with other protocols like SPF, DKIM, DMARC, and TLS-RPT to deliver complete email security.
Common issues with MTA-STS implementation include incorrect or missing DNS records, inaccessible policy files, TLS certificate mismatches, and failure to monitor or act on insights from TLS reports.