What is MTA-STS?

MTA-STS stands for “Mail Transfer Agent – Strict Transport Security” and is a protocol that is intended to ensure that emails are only sent with transport encryption. The standard is set out in RFC-8461 .

How does it work?

Communication takes place between the mail servers. The admin of the receiving mail server sets a DNS entry in which he communicates to the sending mail server that he supports TLS. The sending mail server can now retrieve the MTA-STS policy via HTTPS. It caches the policy for a certain period of time (predefined) and from this point on only delivers mails via TLS.

How do you set up the corresponding DNS record?

For more information and instructions on how to set the corresponding DNS record, please refer to our FAQs: https://www.secumail.de/f-a-q/#1622448146751-b894ddee-c50f

Why do we need it?

There are already several approaches to the ongoing process of making email communication more secure. So why do we need another technology?

MTA-STS is a complement to STARTTLS to further increase security and prevent “man in the middle” attacks. In combination with DANE and DNSSEC, the security level for your own DNS infrastructure and also mail traffic can be improved. Since DANE is not yet so widely used (many domains cannot yet be resolved with DNSSEC), MTA-STS serves as a kind of temporary solution and can be used for your own DNS zone despite the lack of DANE.