MTA-STS and TLS-RPT Implementation Guide

Welcome to your detailed handbook on MTA-STS and TLS-RPT to get hands-on knowledge about the protocols and their functionalities.

Contact us Book a demo

Table of Contents

  1. What is Mail Transfer Agent-Strict Transport Security (MTA-STS)?
  2. How does MTA-STS ensure encryption of messages in transit?
  3. Breaking down the anatomy of a MITM Attack
  4. How does  MTA-STS ensure TLS encryption?
  5. What is the MTA-STS Policy File?
  6. How to publish the MTA-STS Policy File?
  7. What is MTA-STS DNS Record?
  8. How to deploy MTA-STS?
  9. What are the challenges faced while manually deploying MTA-STS?
  10. PowerDMARC’s Hosted MTA-STS Services
  11. What is SMTP TLS Reporting (TLS-RPT)?
  12. How to enable TLS-RPT for your domain?
  13. Frequently Asked Questions
encryption tls

Mail Transfer Agent-Strict Transport Security (MTA-STS)

MTA-STS, much like what the name suggests, is a protocol that enables encrypted transport of messages between two SMTP mail servers. MTA-STS specifies to sending servers that emails should only be sent over a TLS encrypted connection, and should not be delivered at all in case a secured connection is not established via the STARTTLS command. By enhancing the security of emails in transit, MTA-STS helps in mitigating Man-In-The-Middle attacks (MITM) such as SMTP downgrade attacks, and DNS spoofing attacks.

Read more

How Does MTA-STS Ensure Encryption of Messages in Transit?

Let’s take a simple example to understand how messages get encrypted during email flow. If an MTA is sending  an email to [email protected], the MTA performs a DNS query to find out which MTAs the email must be sent to. The DNS request is sent to fetch the MX records of powerdmarc.com. The sending MTA subsequently connects to the receiving MTA found in the DNS query result, enquiring whether this receiving server supports TLS encryption. If it does, the email is sent over an encrypted connection, however, if it does not, the sending MTA fails to negotiate a secured connection and sends the email in plaintext.

Sending emails over an unencrypted pathway paves the way to pervasive monitoring attacks like MITM and SMTP downgrade. Let’s find out how: