Is 0.7% adoption actually significant?

Yes, because the domains using it include giants like Google and Microsoft, covering over half of all global email traffic.

Do I need a web server for MTA-STS?

Normally yes, but Suped provides hosted MTA-STS which allows you to manage everything via DNS records instead.

Will MTA-STS break my email?

If you use testing mode, it will not affect delivery. Only enforce mode will block mail that cannot use TLS.

What is the current adoption of TLS reporting with MTA-STS for domains? - DMARC - Email authentication - Knowledge base

Analog data visualization board showing growth trends

I often find that while DMARC and SPF are now common knowledge for anyone sending bulk mail, the world of TLS reporting and MTA-STS feels like the next frontier. I see a lot of people asking whether it is actually worth the effort given how low the raw adoption numbers look in public surveys. It is easy to look at a statistic and assume a technology is failing when it is actually just consolidating power among the biggest players.

When I look at the current landscape, the raw percentage of domains using these protocols is surprisingly small. However, if you look at where the mail is actually going, the story changes completely. Large consumer providers have been the primary drivers, making these security measures relevant for the majority of person to person emails sent today.

In my experience, the disconnect between domain count and traffic volume is the most important factor to understand. You might only see a fraction of the internet publishing these records, but those domains often represent the mailboxes your users care about most. It is about protecting the most common paths, not just every possible destination.

Understanding the adoption gap

The most recent data from early 2026 suggests that only about 0.7% of the top one million domains have published an MTA-STS policy. While that number sounds low, it has more than doubled since 2024. This growth shows a steady climb toward wider acceptance, even if we are still early in the adoption lifecycle.

I have noticed that even with 0.7% adoption, some senders report that over 50% of their total outbound traffic is covered by these policies. This happens because

major email providers like Google and Microsoft were among the first to implement support. If you send mail to Gmail or Outlook, you are already interacting with MTA-STS and TLS reporting daily.

This concentration means that a domain can achieve significant security gains by targeting a small number of high volume destinations. It is not just about the number of domains, it is about the traffic volume those domains represent. For many businesses, enforcing TLS for half of their mail is a massive improvement over opportunistic encryption alone.

Adoption rates for top 1 million domains (2024 to 2026):

2024: 0.3% (approx 2,975 domains)
2025: 0.5% (approx 5,155 domains)
2026: 0.7% (approx 7,377 domains)

Why adoption is slower than DMARC

I think one reason adoption lags is that people confuse MTA-STS with TLS reporting (TLS-RPT). While they often go together, they are distinct. MTA-STS tells senders that you require encryption, while TLS-RPT gives you the feedback loop to know if those connections are actually working. Without reporting, you are essentially flying blind if a certificate expires or a configuration fails.

Another factor is the complexity of hosting. MTA-STS requires a web server with a valid certificate to host a policy file. This is a hurdle for IT teams that only want to manage DNS. This is where a hosted MTA-STS solution can help by removing the need to maintain web infrastructure just for email security.

I have seen resistance to enforcement because of the risk of undelivered mail. If a sender cannot negotiate a secure connection to your server, the mail will bounce if you are in enforce mode. Because of this, many organizations stay in testing mode indefinitely, gathering reports but not actually mandating the security they desire.

MTA-STS features

Enforcement: Forces senders to use TLS 1.2 or higher.
MX validation: Prevents DNS hijacking of mail records.

TLS reporting features

Visibility: Shows success and failure rates of connections.
Error codes: Identifies expired certs or cipher mismatches.

Steps to join the early adopters

Secured email with digital circuit illustration

If you are ready to move forward, I always suggest starting with TLS reporting in testing mode. This allows you to collect data from major senders without any risk to your mail flow. It is the exact same strategy we use for DMARC, where you start with a policy of none before moving to reject.

I highly recommend using Suped for this process. Unlike basic tools, Suped provides a unified platform where you can manage DMARC monitoring and TLS reporting in one place. Our hosted MTA-STS feature is particularly useful because it lets you enforce TLS using just two CNAME records, bypassing the need for you to manage your own policy web server.

Ultimately, the value of these protocols is only going up as more governments and large enterprises mandate them. If you want to boost email deliverability and security, getting your TLS reporting in order is a critical step. Don't let the low adoption percentages fool you; the traffic that matters is already there.

Views from the trenches

Best practices

Always start MTA-STS in testing mode to avoid blocking legitimate email traffic.

Use a dedicated reporting service to aggregate and visualize JSON TLS reports.

Monitor certificate expiration dates closely to prevent enforcement failures.

Implement TLS reporting for both inbound and outbound mail streams for full visibility.

Common pitfalls

Setting a long max_age in the policy before verifying the setup is stable.

Forgetting to update the policy serial number after making changes to the record.

Assuming that low global adoption means your specific traffic is not encrypted.

Misconfiguring the HTTPS policy host which prevents senders from fetching requirements.

Expert tips

Check if your industry regulations mandate encryption for supply chain communication.

Combine MTA-STS with DMARC to protect both message integrity and transit security.

Use hosted solutions to manage the required HTTPS policy file without local servers.

Review reports from major providers to identify specific cipher suites they prefer.

Expert view

Expert from Email Geeks says the UK Government requires MTA-STS on their supply chain and intends to mandate it for all councils.

2026-01-20 - Email Geeks

Marketer view

Marketer from Email Geeks says they added support for MTA-STS policy hosting and TLS reporting specifically because of high customer demand.

2026-01-21 - Email Geeks

The path forward for secure email

The adoption of TLS reporting and MTA-STS is following a similar path to other security standards. It begins with the largest platforms and slowly filters down to smaller organizations. While the current 0.7% adoption rate among the top million domains seems minor, its impact on total global email volume is already significant.

For most businesses, the value lies in the visibility provided by TLS-RPT and the protection against man in the middle attacks offered by MTA-STS. By using a platform like Suped, you can implement these technologies without the traditional technical overhead. It is a proactive step that secures your domain and prepares you for future compliance requirements.