Suped

Does MTA-STS work with any TLS certificate?

When implementing Mail Transfer Agent Strict Transport Security (MTA-STS), a common question that comes up is whether it's compatible with any TLS certificate. The short answer is no. MTA-STS has strict requirements for the TLS certificates used by your mail servers, and for good reason. It’s designed to ensure that email is transmitted over an authenticated and encrypted connection, which means using just any certificate won't do.

The certificate must be valid and trusted by a public Certificate Authority (CA). This is a critical piece of the puzzle. An untrusted or self-signed certificate completely undermines the security guarantees that MTA-STS aims to provide.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

The requirements for an MTA-STS compliant certificate

MTA-STS is defined in RFC 8461 as a way for mail service providers to declare their ability to receive secure SMTP connections. For this declaration to be trustworthy, the TLS certificate presented by the receiving mail server must meet several criteria:

  • Publicly trusted. The certificate must be issued by a Certificate Authority (CA) that is trusted by major browsers and operating systems. This means you cannot use a self-signed certificate. As one blog notes, MTAs often fallback to insecure connections when encountering issues like self-signed certificates, which is precisely what MTA-STS is designed to prevent.
  • Valid and not expired. The certificate must be within its validity period. An expired certificate will cause validation to fail, leading to potential delivery issues for senders enforcing MTA-STS.
  • Hostname match. The name on the certificate (either the Common Name or a Subject Alternative Name) must match the hostname of your mail server as listed in your MTA-STS policy file. These hostnames are typically the same ones found in your domain's MX records.
blog.zimbra.com logo
Zimbra : Blog says:
Visit website
For example, sometimes the TLS certificate is self-signed or a different DNS name is used for the MX server. Because MTAs fall-back to insecure transport, email confidentiality cannot be guaranteed.

Why are the certificate rules so strict?

The primary goal of MTA-STS is to combat downgrade attacks and man-in-the-middle (MITM) attacks. In a downgrade attack, an attacker intercepts the command to start a secure connection (STARTTLS) and forces the communication to proceed over an unencrypted channel. In a MITM attack, an attacker can impersonate your mail server to intercept, read, or modify emails.

www.markloveless.net logo
Mark Loveless says:
Visit website
This has to be set up first, you have to use a public certificate (via Let's Encrypt which is great), and like I said there is decent documentation, but the documentation and the technology are written by engineers, for engineers.

By requiring a valid, publicly trusted TLS certificate, MTA-STS ensures that the sending server can authenticate the identity of the receiving server. If the certificate is self-signed, expired, or for the wrong domain, the sending server cannot be sure it's talking to the legitimate mail server. It will treat this as a security failure and, depending on the MTA-STS policy mode ('enforce' or 'testing'), may refuse to deliver the email.

Certificates for the policy file itself

It's also important to remember that the MTA-STS policy file itself must be hosted on a web server over HTTPS. This means the web server for the subdomain mta-sts.yourdomain.com also needs a valid, publicly trusted TLS certificate. This is a separate, but equally important, requirement. Without a secure way to fetch the policy, the entire process would be vulnerable from the start.

www.uriports.com logo
URIports Blog says:
Visit website
Let me try to explain what SMTP MTA Strict Transport Security (SMTP MTA-STS for short) really does and how it does indeed make email a bit more secure. It protects against both passive observers and active attackers-in-the-middle.

In summary, you cannot use just any TLS certificate for MTA-STS. You must use a valid, current certificate from a public Certificate Authority that matches your mail server's hostname. This is not an optional guideline; it is a fundamental requirement for the protocol to provide any meaningful security protection.

Start improving your email deliverability today

Get started