Mail Transfer Agent Strict Transport Security (MTA-STS) is a crucial standard for enhancing email security. It ensures that emails sent between mail servers are encrypted, protecting them from eavesdropping and tampering. The entire process begins with a specific DNS record: the _mta-sts subdomain.
The purpose of the _mta-sts DNS record is to signal that your domain has an MTA-STS policy. It's the first step in the discovery process, telling sending mail servers where to find the rules for securely delivering email to you.
The problem MTA-STS solves
Historically, SMTP, the protocol used to send email, did not enforce encryption. While most email is sent over an encrypted channel using TLS today, a vulnerability known as a "downgrade attack" still exists. An attacker positioned between two mail servers (a man-in-the-middle attack) could intercept the connection and strip away the TLS encryption, forcing the email to be sent in plaintext. This would allow them to read or alter the email's contents without the sender or receiver knowing.
MTA-STS solves this by allowing a domain to publish a policy that requires sending servers to use a secure, authenticated TLS connection. If a secure connection cannot be established, the email is not delivered, preventing the attack.
How the _mta-sts subdomain enables policy discovery
For MTA-STS to work, sending mail servers need a way to find a domain's policy. This is where the _mta-sts DNS record comes in. The entire mechanism involves two key DNS records and a publicly hosted policy file.
- Policy Discovery Record: You publish a TXT record at _mta-sts.yourdomain.com. This record doesn't contain the policy itself. Instead, it acts as a pointer. It contains a version tag (v=STSv1) and an ID that changes whenever you update your policy.
- Policy Host: A sending server, seeing this TXT record, now knows you have an MTA-STS policy. It then looks for the policy file itself. The standard dictates this file must be hosted on a separate subdomain, typically mta-sts.yourdomain.com. This requires an A or AAAA record for mta-sts.yourdomain.com pointing to a web server.
- Policy File:The web server hosts a simple text file at a specific path: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This file contains the policy directives, such as the mode (e.g., enforce or testing), the allowed mail server hostnames (MX records), and how long sending servers should cache the policy.
In essence, the _mta-sts record is the signpost. It doesn't give the directions, but it tells travelers where to find the map.
Don't forget TLS-RPT
A closely related standard is TLS Reporting (TLS-RPT). While MTA-STS enforces your policy, TLS-RPT provides feedback. By creating another TXT record at _smtp._tls.yourdomain.com, you can specify an email address to receive reports from sending servers about TLS connection successes and failures. These reports are invaluable for diagnosing configuration issues with your MTA-STS policy.
What is the file name for an MTA-STS policy?
Does MTA-STS require DNSSEC for policy discovery?
What DNS record type is used for MTA-STS policy discovery?
What is the purpose of the 'id' tag in an MTA-STS policy TXT record?
What is the 'mx' field in an MTA-STS policy used for?
Does MTA-STS apply to inbound or outbound mail?
