What is MTA-STS (Mail Transfer Agent Strict Transport Security)?

Key takeaway:

Mail Transfer Agent Strict Transport Security (MTA-STS) is a modern email security standard that helps ensure messages sent to your organization’s domain are transmitted over encrypted channels. By enforcing Transport Layer Security (TLS), the standard protects against interception, tampering, and downgrade attacks.

What is MTA-STS?

MTA-STS is a security standard that, with the correct policy, instructs sending email servers to deliver messages only if a secure, encrypted TLS connection can be established with your business’s domain. If encryption fails, the message isn’t delivered – preventing it from being sent in plaintext and exposed to cyberthreats.

Why is it important?

  • Prevents Man-in-the-Middle (MitM) and Simple Mail Transfer Protocol (SMTP) downgrade attacks
  • Protects sensitive information in transit from interception or modification
  • Builds trust by signaling that your company enforces secure communication

How does MTA-STS work?

The standard uses a DNS TXT record and a web server to publish and enforce your organization’s email security policy.

Here’s how the process works:

  1. The sending email server queries your business’s DNS for a record
  2. If present, it fetches your company’s policy file from the web server
  3. The sending server follows your organization’s policy – for example, if a secure TLS connection can’t be established, it doesn’t deliver the message

This closes security gaps found in older methods like STARTTLS, which could be downgraded or intercepted by cybercriminals.

Want to implement the standard properly? Book a demo with Sendmarc to find out how we streamline setup and ensure full compliance with email security best practices.

What are the requirements for MTA-STS?

To successfully implement the standard, your business needs the following:

  • An HTTPS-enabled web server to host the policy file
  • A DNS TXT record to signal the standard’s support and point to the policy file location
  • Proper configuration and continuous monitoring to ensure the policy remains effective

Understanding the MTA-STS DNS record

The DNS record is a TXT record published on a domain. This record tells email servers that your company’s domain supports the standard and where to find the policy file.

Example DNS record:

HostTipoValor
_mta-sts.yourdomain.comTXTv=STSv1; id=20250502T1314
  • v=STSv1: Indicates the version of the standard
  • id=: A unique identifier that should change whenever the policy file is updated

MTA-STS policy file: Configuration & best practices

Your organization’s policy file is a plain text document. This file contains the following required fields:

  • version: The policy version
  • mode: Can be enforce, testing, or none
  • mx: One or more authorized Mail Exchange (MX) records
  • max_age: The number of seconds sending servers can cache the policy

Sample policy:

  • version: STSv1
  • mode: enforce
  • mx: mail.yourdomain.com
  • max_age: 604 800

Best practices:

  • Use enforce mode for full protection
  • Ensure the MX records and policy file are always in sync
  • Review and update the policy regularly, especially when making infrastructure changes

MTA-STS setup: A step-by-step guide

Write your business’s policy using the recommended format and values.

Step 2: Host the policy file

Place the file at the necessary location. Ensure the web server supports HTTPS and is publicly accessible.

Step 3: Publish the DNS record

Add the TXT record to announce your company’s policy.

Step 4: Monitor & maintain

Enable TLS Reporting (TLS-RPT) to receive feedback about email delivery issues. Use this data to troubleshoot problems and update your organization’s policy as needed.

Want expert help setting up the standard? Book a demo with Sendmarc to simplify setup and ensure your business’s domain is fully protected.

MTA-STS check: Verifying implementation

Regularly checking your company’s setup ensures that its domain remains protected and compliant.

Use these key checkpoints:

  • The DNS TXT record is published and correctly formatted
  • The policy file is accessible over HTTPS
  • The policy contents match the actual MX server configuration
  • TLS reports are being received and reviewed for failures

MTA-STS hosting: Options & considerations

When implementing the standard, your organization can choose how to host the policy file.

Hosting options

  1. On-premises: Host the policy on your business’s HTTPS-enabled web server. This gives your company full control but requires manual management of certificates.
  2. With a provider: Use a hosted solution that handles file delivery, certificate renewals, and monitoring – reducing operational strain.

Key considerations

  • Reliability of the HTTPS server
  • TLS certificate management and timely renewals
  • Integration with email infrastructure to ensure the policy accurately reflects the current MX records

The importance of MTA-STS

Email remains one of the most targeted communication channels by cybercriminals.

Implementing the standard strengthens domains by:

  • Preventing the interception and tampering of sensitive communications in transit
  • Supporting compliance and data protection requirements
  • Enhancing email deliverability by building trust with email servers
  • Showing a proactive cybersecurity approach to partners and stakeholders

MTA-STS: FAQs

What is MTA-STS, and why is it important?
Mail Transfer Agent Strict Transport Security (MTA-STS) is an email security standard that enforces encrypted delivery to your organization’s domain. It is important because it protects against interception, tampering, and downgrade attacks by requiring secure TLS connections from email servers.

The MTA-STS DNS record is a TXT record. This record signals that your business supports the standard and directs email servers to the location of its security policy file.

Yes, MTA-STS is necessary for companies that prioritize email security and compliance. It helps prevent cyberattacks on email by ensuring messages are only delivered over encrypted channels.

MTA-STS works alongside Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to create a comprehensive email security strategy.

While SPF, DKIM, and DMARC authenticate the sender and protect against spoofing, MTA-STS secures the transport layer by enforcing encryption during email delivery.

The key components of the standard include a valid DNS TXT record, an HTTPS-hosted policy file, trusted TLS certificates for email servers, and the use of TLS-RPT for monitoring delivery issues.

An MTA-STS policy file is a plain text file hosted over HTTPS. It defines your company’s policy for accepting inbound email over secure connections.

MTA-STS offers three policy modes:

  • enforce: Emails are only delivered if a secure TLS connection can be established.
  • testing: Reports issues but allows delivery even if TLS can’t be established.
  • none: No policy is enforced; the standard is effectively inactive.
Your organization can check MTA-STS implementation by verifying that its DNS record is published, its policy file is accessible over HTTPS, and TLS reports are being received and reviewed for potential issues.
TLS Reporting (TLS-RPT) is a companion protocol to MTA-STS. It provides daily feedback on delivery issues and security failures, allowing your business to monitor and improve its cybersecurity based on real-world data.
To implement MTA-STS, your company needs TLS-enabled email servers, valid and publicly trusted TLS certificates, an HTTPS web server to host the policy file, and access to its DNS to publish the TXT record.

Sendmarc simplifies MTA-STS implementation by offering hosted solutions, expert guidance, automated monitoring, and integration with other protocols like SPF, DKIM, DMARC, and TLS-RPT to deliver complete email security.

Common issues with MTA-STS implementation include incorrect or missing DNS records, inaccessible policy files, TLS certificate mismatches, and failure to monitor or act on insights from TLS reports.

Ready to secure your organization’s domain?

Book a demo with Sendmarc.