What Is MTA-STS?

MTA-STS, which stands for Mail Transfer Agent Strict Transport Security, is an email standard that secures inbound email and prevents attackers from exploiting a weakness in standard SMTP security. The MTA-STS standard, at its core, is a combination of having all of your email servers using Transport Layer Security (TLS), having valid publicly-trusted certificates for those servers, a published DNS record, and a TXT file. MTA-STS, once implemented, actively enhances security of inbound email to your domain from attackers looking to intercept unsecured emails.

Why Should I Set Up MTA-STS Now?

MTA-STS on its most basic level elevates the security of inbound email being sent to your domain(s) by ensuring 1) only messages that are TLS encrypted are delivered and 2) those messages can only be delivered to those email servers published by the MTA-STS policy. When MTA-STS is enabled for your domain, it requests external servers to send messages to your domain only when the SMTP connection is authenticated with a valid public certificate AND encrypted with TLS 1.2 or higher. Once you select a provider's MTA-STS policy, messages sent from your domain to external servers will comply with the standard and improve delivery.

Those two key benefits ensure that inbound emails sent via plain text to your business are not intercepted by attackers before being relayed to you. Similar to how DMARC provides a domain with outbound email protection, MTA-STS provides a domain with inbound protection. Having both DMARC and MTA-STS policies published and enforced provides your domain with optimum security and boosts email deliverability.

Popular email providers, such as Gmail (in 2019) and Outlook (in 2022), now support MTA-STS for all senders by default.

To check a domain or hostname for an MTA-STS DNS TXT record, use MxToolbox's free MTA-STS Lookup here to run our helpful tool to see your MTA-STS status.

How Do I Set Up MTA-STS?

To implement MTA-STS for your domain(s), you must do the following:

  1. Add an A or CNAME type DNS record at mta-sts.[domain] that points to the HTTPS enabled web server serving the MTA-STS policy file.
  2. Add a TXT or CNAME type DNS record at _mta-sts.[domain] that indicates the use of MTA-STS, and update the ID value on policy change.
  3. Set up an HTTPS enabled web server with a valid certificate for the domain at mta-sts.
  4. (Optional/Recommended) Enable SMTP TLS reporting through TXT or CNAME record held at _smtp._tls.domain. Set the Mode to Testing.

MxToolbox recommends setting up your domain(s) with MTA-STS by creating the two DNS records mentioned above and the MTA-STS policy file with the Mode set to Testing, as this ensures that your email will not be impacted until you are confident all pieces of MTA-STS are implemented correctly. To test your setup, use our free public MTA-STS Lookup Tool.

burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com