What’s MTA-STS, why it makes email routing safer, amd how to set it up

Modern email uses Transfer Layer Security (TLS) to keep messages safe from prying eyes as they move between mail servers. Without additional safeguards, TLS can often be bypassed. This is where Mail Transfer Agent Strict Transport Security (MTA-STS) comes in.

What is MTA-STS?

MTA-STS is a standard designed to protect Simple Mail Transfer Protocol (SMTP) connections between mail servers from downgrade and Man-in-the-Middle (MitM) attacks. It enforces that inbound email for your domain is only accepted over authenticated TLS connections.

Even though SMTP with STARTTLS has been around for years, it’s not foolproof - attackers can trick servers into falling back to insecure connections unless you use MTA-STS.

How does mail transfer between servers?

Email messages sent from one domain to another travel over the public internet. First, the sender’s server looks up the recipient’s server using MX (Mail Exchange) records.

Then, optionally, both servers attempt to establish a TLS connection using STARTTLS. Without further protection, attackers can downgrade this connection, making the process vulnerable.

What are the risks without MTA-STS?

Without MTA-STS, email can be silently intercepted by attackers who force a connection downgrade or present fake certificates during a MitM attack. As a result your email can be read in clear text by third parties. MTA-STS ensures the sending server verifies it is using a secure, valid TLS connection, or the transition fails.

Practical example

The MTA-STS policy is a plain text file published at a fixed location on your web server:

https://mta-sts.example.com/.well-known/mta-sts.txt

The text file should look like this:

version: STSv1
mode: enforce
mx: mx.example.com
max_age: 86400
  • version: Must be STSv1. As of now, there are no other versions.
  • mode: Supported values are enforce, testing, or none.
  • mx: One or more MX hostnames. Wildcards are also supported, like *.example.com.
  • max_age: Time in seconds for which the policy is valid (86400 is one day).

You can check MTA-STS policies in the browser, e.g.: https://mta-sts.gmail.com/.well-known/mta-sts.txt

version: STSv1
mode: enforce
mx: gmail-smtp-in.l.google.com
mx: *.gmail-smtp-in.l.google.com
max_age: 86400

DNS record for MTA-STS

A small but important TXT record in DNS tells mailservers that your domain uses MTA-STS - and which version they should check:

For Gmail at _mta-sts.gmail.com, it looks like this:

_mta-sts.gmail.com.     300     IN      TXT     "v=STSv1; id=20190429T010101;"

The id can be any unique string. When you update your policy file, increment the id to signal other providers to fetch the new policy.

It’s considered “best practice” to use a datetime in the id since it’s guaranteed to be unique.

TLS reporting: get feedback on failures

SMTP TLS Reporting (TLS-RPT) allows you to receive email reports if another mail server has issues delivering securely to your domain.

Gmail has this record in place for _smtp._tls.gmail.com:

_smtp._tls.gmail.com.   300     IN      TXT     "v=TLSRPTv1;rua=mailto:sts-reports@google.com"

This means the specified email address receives reports about failed or downgraded connections, as well as successful ones.

Since the reports are in JSON, they’re meant for automated reporting tools. Look up “TLS-RPT reporting” for more info.

Practical example

If you host your DNS with HexName, and your mail server is mx.example.hexname.com, you would:

  1. Publish your policy at https://mta-sts.example.hexname.com/.well-known/mta-sts.txt, e.g.:
version: STSv1
mode: enforce
mx: mx.example.hexname.com
max_age: 86400

Hint: This can easily be done by your reverse-proxy or Cloudflare Workers with this template:

export default {
  async fetch(request, env, ctx) {
    const body =
`version: STSv1
mode: enforce
mx: mx.example.hexname.com
max_age: 86400`;

    return new Response(body);
  }
};
  1. Add the DNS TXT record at _mta-sts.example.hexname.com.
_mta-sts.example.hexname.com. 3600 IN TXT "v=STSv1; id=20240612;"
  1. Optionally, set up TLS-RPT for reporting:
_smtp._tls.example.hexname.com. 3600 IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@example.hexname.com"

Summary

MTA-STS is straightforward to set up but adds much-needed security to your domain’s inbound email - so no one will be intercepting your emails.

Like what you see?

Sign up now, register our premium domains, and manage DNS records - all forever for $0.00/month.
$ dig example.hexname.com -t TXT +short
"v=spf1 mx ra=spf-reports -all"
$
$
$ dig example.hexname.com +short
198.51.100.98
$ curl icanhazip.com
198.51.100.135
$ ./update-ddns.sh
$ dig example.hexname.com +short
198.51.100.135
$
ESC / - HOME END PGUP CTRL ALT PGDN
q w e r t y u i o p
a s d f g h j k l
z x c v b n m /
123 , <      Space      > .
Get started