Ensure Secure Email Delivery with MTA-STS

PowerDMARC’s hosted MTA-STS helps you configure MTA-STS correctly and with ease. Most email today is secured with Transport Layer Security (TLS) encryption, an industry-standard adopted even by consumer email. But attackers can intercept your email even before it gets encrypted. If your email is not transported over a secure connection, your data could be stolen or even modified by an attacker.  Mail Transfer Agent-Strict Transport Security (MTA-STS)  fixes this, guaranteeing safe transit for your email.

How Does TLS Encryption Work?

When you send an email from your domain, your Mail Transfer Agent (MTA) performs a query to the receiving server to check if it supports the STARTTLS command. When your MTA confirms that the receiver supports STARTTLS, it switches to an encrypted connection and sends the email securely.

But an attacker can disrupt this process, rerouting the email to a server controlled by them, or make the STARTTLS query fail, prompting your MTA to send the email over an unencrypted connection. In either case, the attacker can have total access to your emails.

How Does TLS Encryption Work?

Why MTA-STS?

MTA-Strict Transport Security (MTA-STS) is a security protocol designed to mitigate both MITM attacks. Here’s how it does that:

  • Use of HTTPS-Enabled Servers

The MX records, which your MTA queries over DNS, are compared to the records stored in the MTA-STS policy file, which are fetched over HTTPS. MTAs also cache MTA-STS policy files, which make a DNS spoofing attack much harder to pull off.

  • Mandatory TLS

MTA-STS allows your domain to publish a policy that makes sending email with encrypted TLS compulsory. If for some reason the receiving server is found to not support STARTTLS, the email will not be sent at all. This makes it impossible to perform an SMTP downgrade.