The short answer is that Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard designed to protect inbound email. As a domain owner, you publish an MTA-STS policy to tell other mail servers how they should securely deliver mail to your domain.
However, for this system to work, sending mail servers must be able to check for and respect these policies when they send outbound mail. So, while the policy you configure applies to your inbound mail flow, it directly impacts the behavior of outbound mail servers sending to you.
How MTA-STS protects inbound email
MTA-STS is fundamentally a protection mechanism for receiving domains. Its main purpose is to prevent man-in-the-middle (MITM) and downgrade attacks. In a downgrade attack, an attacker intercepts the communication between two mail servers and forces them to use an unencrypted connection, allowing the attacker to read or modify the email.
You, as the owner of a domain, can publish a policy that declares you only accept email over a secure, encrypted Transport Layer Security (TLS) connection. You do this by creating a specific DNS record and hosting a policy file on a web server. When a sending server that supports MTA-STS wants to email your domain, it will look up your policy. If your policy is set to enforce, the sending server knows it must establish a valid TLS connection. If it cannot, it will not deliver the email, thus preventing a potential interception.
The role of the outbound server
This is where the outbound side of the equation comes in. An MTA-STS policy is useless unless sending mail servers, known as Mail Transfer Agents (MTAs), actually check for it. When an MTA sends an email, it's acting as an outbound server.
Major email providers like Google and Microsoft have implemented MTA-STS support in their platforms. This means when you send an email from Gmail or Office 365, their servers will check the recipient's domain for an MTA-STS policy before sending your outbound message. As Cybersecurity World notes, Office 365 supports MTA-STS for both incoming and outgoing emails, though the protection for your own domain's incoming mail must be configured manually.
So, to put it simply:
- Inbound Protection: You set an MTA-STS policy for your domain to protect all inbound emails.
- Outbound Action: Sending mail servers must support MTA-STS to check this policy when delivering outbound emails.
Conclusion
MTA-STS is a policy that applies to inbound mail. It’s a declaration you make to the world about how you want to receive email. However, its effectiveness relies entirely on the cooperation of outbound mail servers that honor these declarations. Think of it like putting a special lock on your mailbox; it only works if the mail carrier has the right key and knows to use it. In this analogy, MTA-STS is the lock you install for inbound mail, and the outbound mail carrier is the one who has to use it.
