Securing mail in transit: MTA-STS and TLS-RPT

SPF, DKIM and DMARC are all about identity – proving a message really came from you. None of them say anything about whether that message was encrypted as it travelled between mail servers. That’s a separate problem, and on its own it leaves a real gap.

Email encryption is “optional” by default

When one mail server hands a message to another, it normally tries to use TLS – but classically this is opportunistic: if encryption isn’t available, it sends in plain text anyway rather than fail. An attacker positioned between the servers can exploit that by stripping the encryption (a downgrade attack), so the message is sent in the clear and can be read or altered. The sender and recipient never notice.

MTA-STS makes TLS mandatory

MTA-STS (SMTP MTA Strict Transport Security) lets you publish a policy that says: “mail to my domain must be delivered over TLS, to these mail servers.” A sending server that supports MTA-STS will then refuse to downgrade – if it can’t establish a valid encrypted connection, it doesn’t deliver. The downgrade attack stops working.

TLS-RPT tells you when it goes wrong

The companion standard, TLS-RPT, asks sending servers to report back when they couldn’t deliver to you securely. Without it, TLS failures are invisible – you’d only find out when mail mysteriously stopped arriving. With it, you get an early warning that something in your transport setup needs attention. More on TLS-RPT →

The catch: hosting it is the hard part

MTA-STS sounds simple until you implement it. The policy has to be served from a specific HTTPS URL on a subdomain, with a valid TLS certificate that never expires, and it has to stay in step with your MX records. Get the certificate renewal wrong and you’ve created the very outage you were trying to prevent. This is exactly why hosted MTA-STS exists – it serves the policy and manages the certificate for you, so you get the protection without the operational risk.

Where it fits

Think of it as layers. DMARC stops people impersonating you; MTA-STS and TLS-RPT make sure the mail that is yours travels protected. Together with DKIM and DNSSEC, they’re what a genuinely well-secured domain looks like – and they all roll up into your score.