Back to Course
Լight modeDark mode

Introduction to MTA-STS

MTA-STS, much like what the name suggests, is a protocol that enables the encrypted transport of messages between two SMTP mail servers. MTA-STS specifies to sending servers that emails should only be sent over a TLS-encrypted connection, and should not be delivered at all in case a secured connection is not established via the STARTTLS command. 

By enhancing the security of emails in transit, MTA-STS helps in mitigating Man-In-The-Middle attacks (MITM) such as SMTP downgrade attacks, and DNS spoofing attacks.

How Does MTA-STS Ensure Encryption of Messages in Transit?

Let’s take a simple example to understand how messages get encrypted during email flow. If an MTA is sending  an email to example@powerdmarc.com, the MTA performs a DNS query to find out which MTAs the email must be sent to. The DNS request is sent to fetch the MX records of powerdmarc.com. 

The sending MTA subsequently connects to the receiving MTA found in the DNS query result, enquiring whether this receiving server supports TLS encryption. If it does, the email is sent over an encrypted connection, however, if it does not, the sending MTA fails to negotiate a secured connection and sends the email in plaintext.

Ensuring Encryption with MTA-STS

Whenever you send emails using the SMTP server of your  email service providers like Gmail or Microsoft, the emails are transferred from the sending server to the receiving server through Simple Mail Transfer Protocol (SMTP). However, SMTP allows opportunistic encryption, implying that the communication between SMTP servers may or may not be encrypted to avoid manipulation or eavesdropping on email content. MTA-STS is published using HTTPS, protecting it against MITM attacks.

MTA-STS secures email delivery by: 

  • Enforcing TLS encryption
  • Serving the MX records from an HTTPS-secure server
Course content
Advanced Email Authentication Course