MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard designed to protect email in transit. Its primary function is to ensure that when mail servers exchange emails, they do so over an encrypted connection, specifically using TLS (Transport Layer Security).
The protocol works by allowing a domain to publish a policy that outlines its security requirements. This policy is a simple text file, and within it, several key-value pairs define how sending servers should behave when delivering mail to your domain. One of the most important of these is the mx field.
Before we dive into the mx field specifically, it helps to understand the other parts of the policy file. This file, named mta-sts.txt, is hosted on a specific subdomain and contains directives that control the policy's behavior. The main directives are:
The mx field is the heart of the MTA-STS policy. Its job is to provide an explicit whitelist of the mail servers that are permitted to receive email for your domain. When a sending mail server retrieves your MTA-STS policy, it checks this list to validate the identity of the server it's connecting to.
Each mx entry in the policy file represents a hostname pattern. You can use wildcards (for example, *.example.com) to match a group of servers or specify exact hostnames. You must list all of your inbound mail gateways that support TLS in this list.
Crucially, this check is tied directly to the server's TLS certificate. As explained by LuxSci, the domain name specified in the mx field must match the name provided in the server's X.509 certificate. If there is a mismatch, and the policy mode is set to enforce, the sending server will refuse to deliver the email. This validation is what prevents a MitM attacker from redirecting your email traffic to a malicious server, because that server won't have a valid TLS certificate for your approved MX hostname.
In summary, the mx field is the enforcement component of your MTA-STS policy, ensuring that encrypted connections are made only to the legitimate, authorized mail servers you operate.
What is the file name for an MTA-STS policy?
What DNS record type is used for MTA-STS policy discovery?
What is the purpose of the 'id' tag in an MTA-STS policy TXT record?
What is the 'version' field in an MTA-STS policy?
What port does MTA-STS typically use for policy fetching?
What is the 'mode' field in an MTA-STS policy?