What is the 'mx' field in an MTA-STS policy used for?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard designed to protect email in transit. Its primary function is to ensure that when mail servers exchange emails, they do so over an encrypted connection, specifically using TLS (Transport Layer Security).

justinverstijnen.nl says:

Visit website

It's designed to prevent man-in-the-middle (MitM) attacks, ensuring email servers cannot be tricked into falling back to insecure delivery. This protection is critical for stopping attackers from intercepting or altering emails between servers.

The protocol works by allowing a domain to publish a policy that outlines its security requirements. This policy is a simple text file, and within it, several key-value pairs define how sending servers should behave when delivering mail to your domain. One of the most important of these is the mx field.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

Before we dive into the mx field specifically, it helps to understand the other parts of the policy file. This file, named mta-sts.txt, is hosted on a specific subdomain and contains directives that control the policy's behavior. The main directives are:

• version: Identifies the protocol version, which must be STSv1.
• mode: Determines the policy's action. It can be enforce (block non-compliant mail), testing (report only), or none (disable MTA-STS).
• max_age: Specifies how long (in seconds) a sending server should cache the policy.
• mx: The list of authorized mail servers for your domain.

The mx field is the heart of the MTA-STS policy. Its job is to provide an explicit whitelist of the mail servers that are permitted to receive email for your domain. When a sending mail server retrieves your MTA-STS policy, it checks this list to validate the identity of the server it's connecting to.

Mailmodo says:

Visit website

MX: This field lists the recipient's mail exchange servers that support MTA-STS. Multiple MX fields can be specified in the policy and each MX pattern is checked against the hostname of the receiving server.

Each mx entry in the policy file represents a hostname pattern. You can use wildcards (for example, *.example.com) to match a group of servers or specify exact hostnames. You must list all of your inbound mail gateways that support TLS in this list.

Crucially, this check is tied directly to the server's TLS certificate. As explained by LuxSci, the domain name specified in the mx field must match the name provided in the server's X.509 certificate. If there is a mismatch, and the policy mode is set to enforce, the sending server will refuse to deliver the email. This validation is what prevents a MitM attacker from redirecting your email traffic to a malicious server, because that server won't have a valid TLS certificate for your approved MX hostname.

In summary, the mx field is the enforcement component of your MTA-STS policy, ensuring that encrypted connections are made only to the legitimate, authorized mail servers you operate.