Menu
Fix deliverability Security Pricing
Theme
Deliverability

What Is MTA-STS and Why It Matters

How MTA-STS protects your inbound email from SMTP downgrade attacks. Includes deployment steps, testing mode, and common errors to avoid.

January 27, 2026

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard that ensures inbound email is delivered over encrypted TLS connections. It's the email equivalent of HSTS for websites — it tells senders "you must use encryption when delivering mail to us."

The problem MTA-STS solves

SMTP was designed without encryption. STARTTLS was added later as an opportunistic upgrade — if both servers support it, they'll use it, but if anything goes wrong, they fall back to plaintext.

This creates a vulnerability: an attacker on the network path between two mail servers can strip the STARTTLS command from the handshake (a "downgrade attack"). The sending server thinks the receiver doesn't support TLS and sends the email in plaintext. The attacker reads the email.

MTA-STS fixes this by publishing a policy that says "we definitely support TLS, and you should refuse to deliver if you can't negotiate it."

How MTA-STS works

MTA-STS has two components:

  1. DNS TXT record at _mta-sts.yourdomain.com that signals the policy exists and includes a version ID
  2. Policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt that specifies the policy mode and authorized MX servers

When a sending server is about to deliver email to your domain, it checks for the DNS TXT record. If present, it fetches the policy file over HTTPS (which itself can't be downgraded). The policy tells the sender which MX servers to deliver to and whether TLS is required.

Deployment steps

Step 1: Set up the policy file

Create and host the policy file. Start with testing mode:

version: STSv1
mode: testing
mx: mail.yourdomain.com
mx: *.yourdomain.com
max_age: 86400

Host this at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. The subdomain must have a valid SSL certificate.

Step 2: Add the DNS record

_mta-sts.yourdomain.com TXT "v=STSv1; id=20260127001"

The id is a version identifier. Change it whenever you update the policy file to signal senders to re-fetch the policy.

Step 3: Set up TLS-RPT

Add TLS reporting so you can see if there are any issues:

_smtp._tls.yourdomain.com TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com"

Step 4: Monitor and switch to enforce

After 2-4 weeks of monitoring TLS-RPT reports with no legitimate failures, change the policy to mode: enforce and update the DNS record id.

Common mistakes

  • Forgetting to update the id: Senders cache the policy. If you update the policy file but not the DNS id, senders won't re-fetch it.
  • MX mismatch: The mx: lines in your policy must match your actual MX records. If they don't match, delivery fails in enforce mode.
  • Expired SSL on mta-sts subdomain: The policy is fetched over HTTPS. If the certificate expires, senders can't fetch the policy.
  • Skipping testing mode: Always start with mode: testing to catch issues before they affect delivery.

Related tools

/tools/mta-sts-check /tools/tls-rpt-check /tools/mail-tls-basics Full deliverability checkup

Related posts

SMTP Downgrade Attacks and MTA-STS
How SMTP encryption downgrades work in practice, why opportunistic TLS isn't enough to stop interception, and how MTA-STS prevents downgrade attacks.
Why TLS Isn't Enough Without Policy
Why having TLS on your mail server doesn't guarantee email is encrypted in transit, and what policy mechanisms like MTA-STS and TLS-RPT close the gap.
Need help with this?
DNS Doctors offers continuous monitoring and white-glove managed DNS. Free tools to start, managed plans to keep it healthy.