It’s time to adopt MTA-STS

Inbox Providers like Google, Yahoo! and Outlook.com are in a constant arms race trying to protect their users from spammers, spoofers and irrelevant content. Since the late 90’s dozens of new technologies have been proposed and adopted, including: Blacklists, TLS Encryption, SPF, DKIM, DMARC, BIMI and, now, MTA-STS. With the continued progression of MTA-STS, it is now time for all domains to adopt the technology to secure inbound email and reduce the threat of spam.

What is MTA-STS?

MTA-STS is an update to TLS Encryption that allows an Inbox Provider to specify a list of secure servers to receive email and mandates a secure TLS connection to these servers. Insecure connections will not be accepted. This corrects a few of the short-comings of TLS alone: Expired TLS Security Certificates, Man-in-the-Middle Attacks and attacks that downgrade to no encryption.

How does MTA-STS Work?

When a sender wants to connect to an inbox provider or domain’s email servers to deliver email, they first query the MTA-STS DNS entry which contains the location of a policy file. The policy file is accessed via HTTPs and contains information about the correct servers to use, which must match the MX records exactly, the TLS encryption requirements, the MTA-STS policy mode and the maximum length to cache this information. Senders then encrypt communication with the servers and transmit the email.

Since the sender is required to verify the connection and it is encrypted to known servers, the sender has a slightly higher level of trust. Any sender that fails this mini test can be considered a threat.

What does MxToolbox recommend?

MxToolbox recommends that all companies setup MTA-STS for their receiving domains to inform senders that their email servers and providers accept secure message delivery using SMTP over TLS and also require that email should not be delivered using an insecure SMTP connection. When MTA-STS is enabled for your receiving domain, it requests external servers to send messages to your domain only when the SMTP connection is authenticated with a valid public certificate AND encrypted with TLS 1.2 or higher. This is a higher level of security for incoming email and should reduce spam to your domain.

In addition, you should ensure that all your domain’s email senders support MTA-STS. This includes your email server software, email marketing, and any other potential email senders: CRM, Order Management, Support, etc. Once you select a provider’s MTA-STS policy, messages sent from your domain to external servers will also comply with the standard and improve delivery.

Test Your MTA-SLS setup with MxToolbox

To help all our users get a head start with MTA-STS, we’ve created a free lookup tool as part of our SuperTool. Check your MTA-STS policy setup as well as any email sender!