Mail Transfer Agent Strict Transport Security, or MTA-STS, is a security standard designed to protect email in transit. It ensures that when another mail server sends an email to your domain, the connection is encrypted using TLS (Transport Layer Security). This is crucial for preventing what are known as downgrade attacks and man-in-the-middle attacks, where an attacker tries to intercept or spy on emails by forcing an unencrypted connection. The core of MTA-STS is a policy that you publish, telling other servers how to handle emails sent to you. This policy has different modes, with 'enforce' being the most secure.
Your MTA-STS policy can be set to one of three modes: none, testing, or enforce. The none mode essentially opts you out of MTA-STS. The testing mode requests that sending servers still deliver mail even if there are policy issues, but they send you reports about any failures. Finally, enforce mode is where the security benefits truly kick in.
What does 'enforce' mode do?
The enforce mode is the strictest setting for your MTA-STS policy. When your policy is set to enforce, you are instructing sending mail servers that they must use a valid, encrypted TLS connection to deliver email to your domain. If a sending server cannot establish a secure connection that matches your policy's requirements, for any reason, it will not deliver the message. The email will be rejected.
This is a significant change from traditional SMTP, which is opportunistic; it will try to use TLS but will fall back to an unencrypted connection if it fails. With an enforce policy, that fallback option is removed, guaranteeing that inbound email is protected in transit.
The path to enforcement
Given the strictness of the enforce mode, you should never start with it. Doing so could cause legitimate emails to be rejected if your configuration isn't perfect. The recommended approach is to begin with the testing mode.
The testing mode, when combined with TLS-RPT (TLS Reporting), allows you to receive reports on connection issues without risking mail delivery. This gives you the visibility needed to fix problems before switching to enforce. The typical implementation path looks like this:
- Start with 'testing' mode: Publish your MTA-STS policy with the mode set to testing and configure a TLS-RPT record to receive diagnostic reports.
- Monitor reports: Analyze the incoming TLS reports for any connection failures. Common issues include certificate mismatches or problems with older, less secure senders.
- Resolve issues: Work to fix the problems identified in the reports. This might involve updating your SSL/TLS certificates or contacting partners who are having trouble connecting securely.
- Switch to 'enforce': Once you are confident from the reports that all legitimate mail is being delivered over a secure connection, you can safely update your policy mode to enforce.
Why is 'enforce' mode important?
The enforce mode is the entire point of MTA-STS. While the testing phase is a critical and necessary step for diagnostics, it offers no real protection. Only when you switch to enforce do you close the security loopholes that allow for downgrade and man-in-the-middle attacks. It is a clear declaration that your organization prioritizes secure email communication.
In short, moving to enforce is the final and most important step in implementing MTA-STS. It hardens your email security posture and ensures that emails sent to your users are protected from snooping and tampering while in transit. When used alongside other standards like DMARC, SPF, and DKIM, it creates a robust defense for your entire email ecosystem.
