Ensure Secure Email Delivery with MTA-STS

PowerDMARC’s hosted MTA-STS helps you configure MTA-STS correctly and with ease. Most email today is secured with Transport Layer Security (TLS) encryption, an industry-standard adopted even by consumer email. But attackers can intercept your email even before it gets encrypted. If your email is not transported over a secure connection, your data could be stolen or even modified by an attacker.  Mail Transfer Agent-Strict Transport Security (MTA-STS)  fixes this, guaranteeing safe transit for your email.

How Does TLS Encryption Work?

When you send an email from your domain, your Mail Transfer Agent (MTA) performs a query to the receiving server to check if it supports the STARTTLS command. When your MTA confirms that the receiver supports STARTTLS, it switches to an encrypted connection and sends the email securely.

But an attacker can disrupt this process, rerouting the email to a server controlled by them, or make the STARTTLS query fail, prompting your MTA to send the email over an unencrypted connection. In either case, the attacker can have total access to your emails.

How Does TLS Encryption Work?


MTA-Strict Transport Security (MTA-STS) is a security protocol designed to mitigate both MITM attacks. Here’s how it does that:

  • Use of HTTPS-Enabled Servers

The MX records, which your MTA queries over DNS, are compared to the records stored in the MTA-STS policy file, which are fetched over HTTPS. MTAs also cache MTA-STS policy files, which make a DNS spoofing attack much harder to pull off.

  • Mandatory TLS

MTA-STS allows your domain to publish a policy that makes sending email with encrypted TLS compulsory. If for some reason the receiving server is found to not support STARTTLS, the email will not be sent at all. This makes it impossible to perform an SMTP downgrade.

What Can PowerDMARC Do?

  • Hosted MTA-STS:

MTA-STS requires an HTTPS-enabled web server with a valid certificate, DNS records, and constant maintenance. PowerDMARC makes your life a whole lot easier by handling all of that for you, completely in the background. Once we help you set it up, you never even have to think about it again.

Hosted MTA-STS
TLS Reporting
  • TLS Reporting

Using MTA-STS, you can enforce emails to be sent to your domain over a TLS encrypted connection. This can lead into occasional problems in email delivery. TLS Reporting (TLS-RPT) lets you receive constant reports about the status of email in your domain so you can quickly resolve issues as they arise. PowerDMARC receives these reports as JSON files and converts them into simplified charts and tables that anyone can read. The less time you waste, the faster you can fix problems.

Schedule a demo today for Hosted MTA-STS