Mail Transfer Agent Strict Transport Security, or MTA-STS, is an important email security standard. Its primary job is to ensure that email connections between SMTP servers are properly encrypted, protecting messages from eavesdropping and man-in-the-middle attacks. As described by URIports, MTA-STS is a mechanism that tells a sending server that its communication must be encrypted.
The short and direct answer is that the default port for an MTA-STS policy lookup is TCP/443. This is because the policy file is fetched from a web server using a secure HTTPS connection, and 443 is the standard port for HTTPS traffic. While other ports are involved in the broader email sending process, the specific act of retrieving the policy file happens over this port.
How the MTA-STS lookup process works
To understand why port 443 is used, it's helpful to look at the steps a sending mail server takes when it encounters a domain using MTA-STS. The process isn't as complex as it might sound.
- DNS Query: The sending server first performs a DNS lookup for a TXT record at _mta-sts.yourdomain.com.
- Policy Host Discovery: This TXT record contains an id value and a hostname (the st value), which tells the server where the policy file is hosted. For example, mta-sts.yourdomain.com.
- Policy Fetch: The server then makes an HTTPS GET request to https://[policy-host]/.well-known/mta-sts.txt. Because this is an HTTPS request, it connects to port 443 on the policy host's web server.
Once the policy is fetched and validated, the sending server uses its rules to enforce a secure connection when delivering the email.
Common port misconceptions
There is sometimes confusion about which port is used for the policy lookup because email delivery itself involves several different ports. It is crucial to distinguish between the port used for fetching the security policy and the ports governed by that policy.
SMTP Ports (25, 465, 587): These are the ports used for the actual SMTP conversation. MTA-STS enforces rules on these connections, like requiring a valid TLS certificate, but it doesn't use them to retrieve the policy file. For instance, port 587 is a common choice for secure SMTP submission.
HTTP Port (80): A web server hosting the MTA-STS policy will often have port 80 open, but usually only to redirect HTTP requests to HTTPS. The MTA-STS standard explicitly requires a secure connection to fetch the policy, so a direct request to port 80 would fail the MTA-STS validation. This requirement prevents an attacker from intercepting the policy request and removing the security directives. As noted in a Mail-in-a-Box forum discussion, port 80 is often kept open for practical reasons like acquiring Let's Encrypt certificates, which is separate from the MTA-STS lookup itself.
Why HTTPS is non-negotiable for policy retrieval
The entire purpose of MTA-STS is to add a layer of security and trust to email delivery. If the policy file itself could be fetched over an insecure connection like HTTP, a malicious actor could simply intercept the request and return a fake policy that disables encryption. This would render the standard useless.
By mandating that the policy is served over HTTPS on port 443, the MTA-STS standard ensures that the instructions received by the sending server are authentic and have not been tampered with. This secure lookup is the foundation upon which the entire protocol's security guarantees are built. In summary, while MTA-STS influences how email servers talk on ports like 25 and 587, the policy that dictates these rules is always fetched securely from port 443.
What is the file name for an MTA-STS policy?
What DNS record type is used for MTA-STS policy discovery?
What port does MTA-STS typically use for policy fetching?
What is the directory path for the MTA-STS policy file?
Does MTA-STS use SMTP or HTTPS for policy retrieval?
Does MTA-STS require a dedicated server for its policy file?
