• What is MTA-STS ?

    MTA-STS addresses the issue of historical Man-in-the-Middle (MitM) attacks that were possible in email transmissions. Specifically, it resolves the issue of unsecured connections, which made it possible for attackers to intercept and potentially alter or read email messages in transit.

    MTA-STS (Mail Transfer Agent - STS) is a protocol for securing email transmission via the use of Transport Layer Security (TLS). It enables mail servers to determine the security policies of other servers and to negotiate secure connections accordingly. By implementing MTA-STS, email service providers can help to prevent eavesdropping and tampering of email messages in transit, and to ensure that messages are delivered only to legitimate recipients.

    MTA-STS works by allowing mail servers to determine the security policies of other servers and to negotiate secure connections accordingly. Here's how it works:

    1. A mail server sends a request to the domain's DNS server to retrieve the MTA-STS policy for the domain.
    2. The domain's DNS server returns the MTA-STS policy, which contains information about the mail server's security settings and requirements.
    3. The mail server uses this information to determine whether it can establish a secure connection with the other server, and if so, how to do it.
    4. Once the secure connection is established, the mail server can send email messages to the other server with confidence that they will be delivered securely and only to authorized recipients.
    5. The MTA-STS protocol also includes a "STS Policy" that enables the domain owner to set a policy to require that all incoming email connections to their domain must be authenticated via a valid certificate and must be delivered over a secure connection.

    MTA-STS is a way to improve the security of email transport by providing a way for Mail Transfer Agent (MTA) to discover and enforce the transport-layer security policies of the email's recipient domain.

    MTA-STS employs existing technologies such as SMTP with STARTTLS, HTTPS, and DNS, which are already in use by many organizations. This means that implementing MTA-STS on the recipient's end does not necessitate additional software support for the standard.

    How to configure MTA-STS on your domain? 

    It is straightforward.


    1/ Creating this record enables the collection of data (TLS reporting) : 

    • Hostname:_smtp._tls.yourdomain.com 
    • TypeTXT  
    • Value:v=TLSRPTv1;rua=mailto:youremail@yourdomain.com 

    This record will allow you to receive reports in JSON format from Google and Microsoft that provide information on the number of emails sent to your domain that were encrypted or not encrypted using TLS. These reports are provided to confirm that your email server is properly configured to accept secure email communications. Note that currently, only Google and Microsoft send such reports.

    broken image

    2/ Creating this record will notify the email servers that send emails to your domain that you have implemented an MTA-STS policy. This will help ensure that all email communications with your domain are conducted securely :


    • Hostname:_mta-sts.yourdomain.com 
    • TypeTXT  
    • Value:v=STSv1;id=20211220; 


    The ID must be unique and should be updated each time the MTA-STS policy is changed. This notifies email servers that the policy has been updated. A good practice would be to set the ID to the date on which the policy was last updated.


    3/ Publish the MTA-STS policy you want to use on a secure HTTPS service with the hostname "mta-sts.yourdomain.com":


    For example,the one from dmarc.fr is there: https://mta-sts.dmarc.fr/.well-known/mta-sts.txt 


    version: STSv1 
    mode: enforce 
    mx: *.mail.protection.outlook.com 
    max_age: 604800 

    The above policy requires that all emails sent to dmarc.fr email addresses must be sent over a secure connection using TLS. It also specifies that the hostname presented in the public certificate by the dmarc.fr mail servers will match the pattern "*.mail.protection.outlook.com". More information on how to configure this policy can be found at the following link: https://support.google.com/a/answer/9276511


    When a mail server attempts to send an email to dmarc.fr, it will verify that the SMTP connection over TLS is secured by the specified public certificate. If this is not the case, it means that an attacker may have intercepted the communication between the two email servers, which can be prevented by this policy. While this might seem like overkill, it provides an additional layer of security against man-in-the-middle attacks on the email communications between your domain and other domains. Additionally, it is relatively easy to configure, so it is recommended to implement this policy.

    Our experts will help you deploy MTA-STS by providing guidance on configuring your mail servers and DNS records to support the protocol. They will also assist in testing and troubleshooting the implementation, ensuring that your email transmission is secure and that messages are delivered only to legitimate recipients. Additionally, they will provide support in ensuring your compliance with any relevant industry standards or regulatory requirements related to email security.