MTA-STS addresses the issue of historical Man-in-the-Middle (MitM) attacks that were possible in email transmissions. Specifically, it resolves the issue of unsecured connections, which made it possible for attackers to intercept and potentially alter or read email messages in transit.
MTA-STS (Mail Transfer Agent - STS) is a protocol for securing email transmission via the use of Transport Layer Security (TLS). It enables mail servers to determine the security policies of other servers and to negotiate secure connections accordingly. By implementing MTA-STS, email service providers can help to prevent eavesdropping and tampering of email messages in transit, and to ensure that messages are delivered only to legitimate recipients.
MTA-STS works by allowing mail servers to determine the security policies of other servers and to negotiate secure connections accordingly. Here's how it works:
MTA-STS is a way to improve the security of email transport by providing a way for Mail Transfer Agent (MTA) to discover and enforce the transport-layer security policies of the email's recipient domain.
MTA-STS employs existing technologies such as SMTP with STARTTLS, HTTPS, and DNS, which are already in use by many organizations. This means that implementing MTA-STS on the recipient's end does not necessitate additional software support for the standard.
It is straightforward.
1/ Creating this record enables the collection of data (TLS reporting) :
This record will allow you to receive reports in JSON format from Google and Microsoft that provide information on the number of emails sent to your domain that were encrypted or not encrypted using TLS. These reports are provided to confirm that your email server is properly configured to accept secure email communications. Note that currently, only Google and Microsoft send such reports.
2/ Creating this record will notify the email servers that send emails to your domain that you have implemented an MTA-STS policy. This will help ensure that all email communications with your domain are conducted securely :
The ID must be unique and should be updated each time the MTA-STS policy is changed. This notifies email servers that the policy has been updated. A good practice would be to set the ID to the date on which the policy was last updated.
3/ Publish the MTA-STS policy you want to use on a secure HTTPS service with the hostname "mta-sts.yourdomain.com":
For example,the one from dmarc.fr is there: https://mta-sts.dmarc.fr/.well-known/mta-sts.txt
The above policy requires that all emails sent to dmarc.fr email addresses must be sent over a secure connection using TLS. It also specifies that the hostname presented in the public certificate by the dmarc.fr mail servers will match the pattern "*.mail.protection.outlook.com". More information on how to configure this policy can be found at the following link: https://support.google.com/a/answer/9276511
When a mail server attempts to send an email to dmarc.fr, it will verify that the SMTP connection over TLS is secured by the specified public certificate. If this is not the case, it means that an attacker may have intercepted the communication between the two email servers, which can be prevented by this policy. While this might seem like overkill, it provides an additional layer of security against man-in-the-middle attacks on the email communications between your domain and other domains. Additionally, it is relatively easy to configure, so it is recommended to implement this policy.
Our experts will help you deploy MTA-STS by providing guidance on configuring your mail servers and DNS records to support the protocol. They will also assist in testing and troubleshooting the implementation, ensuring that your email transmission is secure and that messages are delivered only to legitimate recipients. Additionally, they will provide support in ensuring your compliance with any relevant industry standards or regulatory requirements related to email security.
© 2017 - 2023 DMARC.FR
Le présent site hébergé par Strikingly est édité par la société Oppidum Sécurité informatique immatriculée au registre du commerce et des sociétés de Nanterre sous le numéro 828 287 144 00020 dont le siège social est situé au 110 Esplanade du Général de Gaulle, Courbevoie, Ile-de-France 92400, France et dont le numéro de TVA est FR28 828287144. - Tél : 07 72 77 88 34 - E-mail : firstname.lastname@example.org - Le directeur de la publication du site est le Président d’Oppidum Sécurité Informatique : M. Fabien Soulis