Prolateral Consulting Ltd
Prolateral Consulting Ltd
Knowledgebase Articles
Setup examples

Prolateral offers primary and backup domain (DNS) services, with servers in key geographic locations providing the best service possible.

Frequently asked questions about MTA-STS

Do you find yourself asking, "What is MTA-STS?" and "Do I need MTA-STS?"

If so, don't worry you're not alone. In this page we will try to address questions on MTA-STS. What is it? How do I set it up?

Where DKIM, SPF and DMARC are tools to aid the deliverability of emails you're sending outbound, MTA-STS is a tool for your receiving emails. Its a method of telling those email servers that want to send email to you what level of security and encryption are acceptable.

Still confused? If so below we've compiled a list of frequently asked questions (FAQ) along with some answers.

MTA-STS (Mail Transfer Agent - Strict Transport Security) is a protocol designed to enhance email security by enforcing strict encryption policies for inbound email delivery.

It works by allowing domain owners to publish a policy specifying the security standards that receiving email servers must adhere to when communicating with their domain's mail servers. These standards typically include requirements for Transport Layer Security (TLS) encryption and certificate validation.

By implementing MTA-STS, domain owners can mitigate the risk of man-in-the-middle attacks and other forms of interception by ensuring that all email exchanges with their domain are encrypted and authenticated. This helps prevent unauthorised access to sensitive information contained within email communications.

MTA-STS, or Mail Transfer Agent - Strict Transport Security, serves several key functions to enhance email security:

    • Enforces Encryption: MTA-STS mandates the use of Transport Layer Security (TLS) encryption for email communication between mail servers. This ensures that messages exchanged between sender and recipient domains are encrypted, mitigating the risk of interception and unauthorised access.
    • Validates Certificates: MTA-STS requires that receiving mail servers validate the SSL/TLS certificates presented by sending servers. This validation helps prevent man-in-the-middle attacks, where an attacker intercepts and potentially alters email traffic between servers.
    • Establish Secure Channels: By enforcing TLS encryption and certificate validation, MTA-STS helps establish secure communication channels between email servers. This protects sensitive information transmitted via email from being exposed to unauthorised parties.
    • Prevents Downgrade Attacks: MTA-STS policies specify the minimum acceptable TLS version and cryptographic algorithms for secure communication. This prevents attackers from downgrading the encryption level to weaker protocols, strengthening the overall security of email exchanges.
    • Enhances Trust: Implementing MTA-STS demonstrates a commitment to email security by domain owners. It instills confidence in recipients that communications originating from these domains are transmitted securely, reducing the likelihood of phishing attacks and other forms of email fraud.

MTA-STS plays a crucial role in bolstering the security of email infrastructure by enforcing encryption standards and mitigating potential vulnerabilities in email transmission protocols.

Setting up MTA-STS involves several steps:

  • Generate SSL/TLS Certificate: Obtain a valid SSL/TLS certificate for your mail server.
  • Configure TLS on Mail Server: Ensure that your mail server is properly configured to support TLS encryption.
  • Create MTA-STS Policy: Write a MTA-STS policy file detailing the TLS requirements for inbound email delivery.
  • Publish Policy File: Host the policy file on a publicly accessible (HTTPS only) web server.
  • Add DNS TXT Record: Create the necessary DNS records to support MTA-STS.

If you're using profilter for your inbound email delivery then all profilter clusters are already configured to support SSL/TLS communications.

We've created a detailed knowledage base article on the setting up of MTA-STS

Direct link to the KB Article is here.

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism designed to enhance the security of inbound email communication by enforcing secure connections between mail servers.

It works by specifying policies in the Domain Name System (DNS) records of a domain, indicating if encrypted connections using specific protocols, such as Transport Layer Security (TLS), should be accepted by the mail server.

The implementation of MTA-STS requires the publishing of several DNS records. Please see the KB article titled, "How do I setup MTA-STS@quot; for the DNS records required.

An MTA-STS (Mail Transfer Agent Strict Transport Security) record is a type of DNS (Domain Name System) record used to implement MTA-STS policy for a domain.

The MTA-STS DNS records point to a public location where the MTA-STS policy is published.

To implement MTA-STS two DNS records are required. A DNS A or AAAA record called mta-sts and a DNS TXT record called _mta-sts. For more information please see the setup guide.

MTA-STS (Mail Transfer Agent Strict Transport Security) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are both mechanisms aimed at enhancing email security, but they serve different purposes and operate at different layers of the email infrastructure.

MTA-STS primarily focuses on securing the transport layer of email communications. It ensures that email exchanges between mail servers occur over encrypted connections, typically using protocols like Transport Layer Security (TLS).

On the other hand, DMARC is a policy framework that focuses on authenticating emails and combatting email spoofing and phishing attacks. DMARC enables domain owners to authenticate their emails using techniques like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and it provides instructions to email receivers on how to handle emails that fail authentication.

TLS-RPT (Transport Layer Security - RePorTing) is a protocol designed to improve the security of email communication by providing feedback to domain owners about issues encountered during the establishment of TLS-encrypted connections between email servers.

If you're going to implement MTA-STS then its a good ideal to implement TLS-RPT so you can problem solve any delivery issues that are caused by having a strict security delivery policy.

TLS Reporting is a valuable tool for domain owners to monitor and improve the security of their email communication by receiving feedback on TLS connection attempts made to their domains. Here's a brief overview of TLS-RPT:

  • Feedback Mechanism: TLS-RPT allows email servers to report back to domain owners any problems encountered when attempting to establish Transport Layer Security (TLS) connections. These reports provide valuable insight into potential security vulnerabilities and misconfigurations.
  • Diagnostic Information: TLS-RPT reports typically include diagnostic information such as error codes, encryption protocol versions, and certificate validation failures encountered during the TLS handshake process.
  • Policy Discovery: In addition to reporting errors, TLS-RPT enables domain owners to discover which email servers are attempting to connect to their domain using TLS encryption. This helps domain owners assess the effectiveness of their TLS policies and identify any unauthorised or insecure connections.
  • Enhanced Security: By providing feedback on TLS connection attempts, TLS-RPT enables domain owners to identify and address security weaknesses in their email infrastructure, ultimately enhancing the overall security posture of their domains.

We've created a detailed knowledage base article on the setting up of TLS-RPT

Direct link to the KB Article is here.


like it, love it, then share it. Share this article on social media.

Did you enjoy this article?


The Origin of this information may be internal or external to Prolateral Consulting Ltd. Prolateral makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Prolateral makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.