MTA-STS Policy Server

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard defined in RFC 8461. It allows organisations to publish a policy stating that email must be delivered using TLS encryption and only to authorised mail servers. If these conditions cannot be met, compliant sending servers will defer or refuse delivery.

Why does it matter?

Emails sent between mail servers typically use opportunistic TLS encryption, meaning encryption is attempted but not strictly required. However, attackers can exploit weaknesses such as STARTTLS downgrade attacks or MX record manipulation to force messages to be sent in plain text or redirected to malicious servers.

MTA-STS mitigates these risks by publishing a policy that requires sending mail servers to:

• • Use TLS encryption when delivering email
• • Verify the certificate of the receiving mail server
• • Only deliver mail to authorised MX servers for the domain

This helps prevent downgrade attacks and reduces the risk of man-in-the-middle interception of email traffic.

MTA-STS complements other email security technologies such as SPF, DKIM and DMARC, which protect sender authenticity and domain spoofing, by securing the transport layer used to deliver email.

Further Reading

• RFC 8461 - MTA-STS Specification
• NCSC - Email Security & Anti-Spoofing