Suped

Does MTA-STS apply to inbound or outbound mail?

The short answer is that Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard designed to protect inbound email. As a domain owner, you publish an MTA-STS policy to tell other mail servers how they should securely deliver mail to your domain.

However, for this system to work, sending mail servers must be able to check for and respect these policies when they send outbound mail. So, while the policy you configure applies to your inbound mail flow, it directly impacts the behavior of outbound mail servers sending to you.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

How MTA-STS protects inbound email

MTA-STS is fundamentally a protection mechanism for receiving domains. Its main purpose is to prevent man-in-the-middle (MITM) and downgrade attacks. In a downgrade attack, an attacker intercepts the communication between two mail servers and forces them to use an unencrypted connection, allowing the attacker to read or modify the email.

vand3rlinden.com logo
VAND3RLINDEN says:
Visit website
MTA-STS (Mail Transfer Agent Strict Transport Security) is a security protocol that enforces the use of secure TLS connections for inbound email communication.

You, as the owner of a domain, can publish a policy that declares you only accept email over a secure, encrypted Transport Layer Security (TLS) connection. You do this by creating a specific DNS record and hosting a policy file on a web server. When a sending server that supports MTA-STS wants to email your domain, it will look up your policy. If your policy is set to enforce, the sending server knows it must establish a valid TLS connection. If it cannot, it will not deliver the email, thus preventing a potential interception.

www.uriports.com logo
URIports Blog says:
Visit website
Publishing an (enforced) MTA-STS policy declares that all inbound email communication should be secure and no emails should be delivered if a secure connection cannot be established.

The role of the outbound server

This is where the outbound side of the equation comes in. An MTA-STS policy is useless unless sending mail servers, known as Mail Transfer Agents (MTAs), actually check for it. When an MTA sends an email, it's acting as an outbound server.

Major email providers like Google and Microsoft have implemented MTA-STS support in their platforms. This means when you send an email from Gmail or Office 365, their servers will check the recipient's domain for an MTA-STS policy before sending your outbound message. As Cybersecurity World notes, Office 365 supports MTA-STS for both incoming and outgoing emails, though the protection for your own domain's incoming mail must be configured manually.

security.googleblog.com logo
Google Online Security Blog says:
Visit website
We're excited to announce that Gmail will become the first major email provider to follow the new SMTP MTA Strict Transport Security (MTA-STS) standard...

So, to put it simply:

  • Inbound Protection: You set an MTA-STS policy for your domain to protect all inbound emails.
  • Outbound Action: Sending mail servers must support MTA-STS to check this policy when delivering outbound emails.

Conclusion

MTA-STS is a policy that applies to inbound mail. It’s a declaration you make to the world about how you want to receive email. However, its effectiveness relies entirely on the cooperation of outbound mail servers that honor these declarations. Think of it like putting a special lock on your mailbox; it only works if the mail carrier has the right key and knows to use it. In this analogy, MTA-STS is the lock you install for inbound mail, and the outbound mail carrier is the one who has to use it.

Start improving your email deliverability today

Get started