Important Alert: Google and Yahoo will require DMARC starting from Feb 2024.
encryption tls

Mail Transfer Agent-Strict Transport Security (MTA-STS)

MTA-STS, much like what the name suggests, is a protocol that enables encrypted transport of messages between two SMTP mail servers. MTA-STS specifies to sending servers that emails should only be sent over a TLS encrypted connection, and should not be delivered at all in case a secured connection is not established via the STARTTLS command. By enhancing the security of emails in transit, MTA-STS helps in mitigating Man-In-The-Middle attacks (MITM) such as SMTP downgrade attacks, and DNS spoofing attacks.

How Does MTA-STS Ensure Encryption of Messages in Transit?

Let’s take a simple example to understand how messages get encrypted during email flow. If an MTA is sending  an email to [email protected], the MTA performs a DNS query to find out which MTAs the email must be sent to. The DNS request is sent to fetch the MX records of powerdmarc.com. The sending MTA subsequently connects to the receiving MTA found in the DNS query result, enquiring whether this receiving server supports TLS encryption. If it does, the email is sent over an encrypted connection, however, if it does not, the sending MTA fails to negotiate a secured connection and sends the email in plaintext.

Sending emails over an unencrypted pathway paves the way to pervasive monitoring attacks like MITM and SMTP downgrade. Let’s find out how: