Does MTA-STS affect email routing decisions?

The short answer is no, MTA-STS (Mail Transfer Agent Strict Transport Security) does not directly make email routing decisions. Its primary role is security, not routing. However, its policies can influence whether an email is delivered or not, which can sometimes be confused with a routing function.

To understand why, we first need to clarify what MTA-STS is designed to do. At its core, MTA-STS is a security standard created to ensure that emails are transmitted between mail servers over an encrypted TLS (Transport Layer Security) connection. It helps prevent man-in-the-middle attacks, where an attacker could intercept, read, or alter emails in transit.

Search Security says:

Visit website

As TechTarget puts it, the standard's goal is to improve the security of connections between SMTP servers. It's about protecting the data as it moves along a predetermined path.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

Email routing decisions are handled by a domain's MX (Mail Exchanger) records in the DNS. When a sending server wants to deliver an email, it looks up the recipient domain's MX records to find the address of the mail server responsible for accepting its mail. This is the routing part: MX records tell the sender where to send the email.

MTA-STS comes into play after this routing decision has already been made. Here's the process:

• DNS Lookup for MTA-STS Policy: The sending server checks for a special DNS record to see if the receiving domain has an MTA-STS policy.
• Policy Fetch: If a policy exists, the server fetches it over HTTPS. This policy specifies whether to enforce secure connections and which mail servers are valid.
• Connection Enforcement: If the policy is in 'enforce' mode, the sending server will only deliver the email if it can establish a secure TLS connection with a server whose name matches the one in the policy. It does not look for an alternate route.

MTA-STS acts as a security checkpoint on a pre-defined route, not as a GPS system that finds a new route.

The confusion arises from what happens when an MTA-STS policy check fails. If a domain has its policy set to enforce and a secure connection cannot be established (due to an expired certificate, a weak cipher, or a network downgrade attack), the sending server will not deliver the email. It won't try to find an alternate, less secure server or path. The email delivery is simply aborted.

So, while it doesn't re-route the email, a strict MTA-STS policy can cause delivery to fail. This is a binary outcome: deliver securely or don't deliver at all. This is a critical distinction because the goal is to prevent mail from ever being sent insecurely, even if that means it is not sent.

Spiceworks Community says:

Visit website

This differs from other deliverability factors. As one user on the Spiceworks Community notes, deliverability is more commonly affected by SPF or DKIM failures. MTA-STS issues are less common but can be more severe when they occur, leading to a complete stoppage of mail flow from compliant senders.

MTA-STS is a security protocol, not a routing protocol. It operates on the path defined by MX records, enforcing a secure connection rather than choosing the path itself. While a misconfigured or strict MTA-STS policy can prevent email delivery, this is a security-based failure, not a change in email routing. The email is stopped, not redirected.