We have just implemented MTA-STS on all of the mail domains that we manage for ourselves and for clients and the first reaction of most people I’ve mentioned this to has been, quite predictably, something along the lines of “What on Earth is MTA-STS?”
So, it seems like a good idea to take a few minutes to explain it…
Mail Transfer Agent Strict Transport Security (MTA-STS) is a modern email security standard, that basically lets servers sending you mail know that your incoming mail server accepts secure connections using SMTP over TLS (STARTTLS) and that mail should not be delivered to you over an insecure SMTP connection.
That all sounds a little bit fluffy but it’s actually really useful for mitigating a couple of different kinds of attacks, like Man-In-The-Middle or SMTP-Downgrade, that could allow someone to read or manipulate email while it is in transit to you.
Depending on who you ask, MTA-STS is either the best thing ever or a poor substitute for the alternative DANE, which achieves a similar result using DNSSEC instead of over HTTPS. Luckily the two are not exclusive and the best option is to make sure that you have both enabled and properly set up.
How it works
MTA-STS consists of a couple of parts, a text document that is published in a subdomain and served over HTTPS, and a DNS TXT record that indicates that the domain supports MTA-STS.
A sending mail transfer agent (server) will first check if the DNS record exists. If it does then then next it will fetch the MTA-STS policy file from your web server.
The policy file is very short text file and contains a few simple directives, the main purpose is the security involved in an incoming mail transfer agent being able to locate it, rather than what it actually says.
A lot more technical details
We’ve scratched the surface and covered the only things you really need to know about MTA-STS unless you are administering your own mail server. If you are a server admin or you just want to know a bit more, then we suggest checking out the excellent and much more in depth explanation over at mailhardener.com.