Back to Citations

MTA-STS (Mail Transfer Agent Strict Transport Security)

Last updated: 2026-01-14RFC verified

Summary

MTA-STS forces TLS encryption for email transmission between mail servers. It prevents downgrade attacks and man-in-the-middle interception by requiring encrypted connections through policy files published via HTTPS and DNS.

What Is MTA-STS (Mail Transfer Agent Strict Transport Security)?

MTA-STS (RFC 8461) ensures email is transmitted over encrypted TLS connections between mail servers. Unlike opportunistic TLS, MTA-STS enforces encryption through a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

Why MTA-STS (Mail Transfer Agent Strict Transport Security) Matters for Email & DNS Security

Without MTA-STS, email can be downgraded to unencrypted transmission through STARTTLS stripping attacks. Attackers can read sensitive emails, modify messages, or harvest credentials. According to IntoDNS data, MTA-STS adoption remains low at approximately 8% of domains, despite its critical role in preventing man-in-the-middle attacks. MTA-STS is critical for compliance (GDPR, HIPAA).

How MTA-STS (Mail Transfer Agent Strict Transport Security) Works (Technical)

  • 1.Sending server queries DNS for _mta-sts.yourdomain.com
  • 2.DNS record contains v=STSv1; id=version
  • 3.Fetches policy from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
  • 4.Policy specifies mode (enforce/testing), mx servers, max_age
  • 5.Validates MX hostname matches policy
  • 6.Enforces TLS or fails delivery
  • 7.Policy cached for max_age duration

Common Misconfigurations

mode: testing instead of enforce

Consequence: No protection - monitoring only

How IntoDNS detects this: IntoDNS recommends enforce for production

Policy not served over HTTPS

Consequence: MTA-STS validation fails

How IntoDNS detects this: IntoDNS validates HTTPS accessibility

MX hostname mismatch

Consequence: Legitimate mail rejected

How IntoDNS detects this: IntoDNS compares MX with policy mx: entries

How IntoDNS.ai Detects & Scores This

IntoDNS validates MTA-STS DNS record, HTTPS policy file accessibility, policy mode strength, MX hostname alignment, max_age configuration, and certificate validity. MTA-STS accounts for 10% of email security score.

How To Fix MTA-STS (Mail Transfer Agent Strict Transport Security) Issues

  1. 1.Create policy: mode: enforce, mx: mail.domain.com, max_age: 86400
  2. 2.Host at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
  3. 3.Ensure valid HTTPS certificate
  4. 4.Create DNS TXT: _mta-sts.yourdomain.com → v=STSv1; id=20240101
  5. 5.Start with mode: testing, monitor 2 weeks
  6. 6.Update to mode: enforce
  7. 7.Set max_age to 1 year after stable

References

Source: IntoDNS.ai – DNS & email security diagnostics

Last updated: 2026-01-14

Category: security

Tools & Resources

→ Email Security Test Tool→ API Documentation→ Developer Resources