The Ultimate Guide to MTA-STS Deployment: Is It Worth It?

Authored By: Timmy Bohlman on 6/15/2023

MTA-STS, or Mail Transfer Agent Strict Transport Security, is a relatively new security protocol designed to improve the security of email communication. Its primary function is to enable sending mail servers and receiving mail servers to establish encrypted connections via Transport Layer Security (TLS). However, like most security protocols, MTA-STS adds complexity to the email infrastructure, making it challenging to decide whether to implement it or not. In this blog post, we'll explore whether it's worth deploying MTA-STS and why.


In today's world of cyber threats and vulnerabilities, ensuring the security of email communication is crucial. Email is the most common form of communication used by individuals and businesses worldwide, making it an attractive target for malicious actors. Email interception, phishing, and other forms of attacks are on the rise, and the consequences of a successful attack can be catastrophic. MTA-STS aims to mitigate such risks by enabling secure communication between email servers.

What is MTA-STS?

MTA-STS is a security protocol designed to improve the security of email communication. It works by enforcing encryption of email transmission between sending and receiving email servers via the Transport Layer Security (TLS) protocol. By doing so, it prevents Man-in-the-Middle (MITM) attacks, where an attacker intercepts and modifies email messages in transit.

How does MTA-STS work?

MTA-STS works by enabling email servers to establish encrypted connections using TLS. It does so by creating two DNS records: one for the sending server and one for the receiving server. These records contain information about the preferred TLS encryption policy and the server's certificate. When an email server sends an email to a recipient, it queries the recipient's DNS server for the MTA-STS record. If this record exists, the sender's email server checks if the recipient's server conforms to the encryption policy. If it does, an encrypted connection is established, and the email is transmitted securely.

Why deploy MTA-STS?

Deploying MTA-STS can provide several benefits, including:

  1. Improved email security
    MTA-STS ensures that email communication is secure by enforcing encryption of email transmission between email servers. This prevents MITM attacks and ensures that only the intended recipient can read the email.
  2. Protection against impersonation attacks
    MTA-STS can also protect against impersonation attacks, where an attacker sends emails pretending to be someone else. By requiring encryption, MTA-STS makes it harder for attackers to impersonate legitimate email senders.
  3. Compliance with email security standards
    Deploying MTA-STS can help organizations comply with email security standards such as DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC helps prevent email spoofing by verifying that emails are sent from legitimate sources. By deploying MTA-STS, organizations can further enhance their email security and comply with DMARC.
  4. Improved email deliverability
    Deploying MTA-STS can also improve email deliverability by reducing the likelihood of emails being blocked or marked as spam. Since MTA-STS ensures that email communication is secure, it can help email servers trust emails from organizations that deploy it.

When not to deploy MTA-STS?

Despite its benefits, MTA-STS is not suitable for all organizations. Here are some possible reasons why you might not want to deploy MTA-STS:

  1. It adds complexity to the email infrastructure
    Deploying MTA-STS adds complexity to the email infrastructure, requiring additional DNS records and server configurations. If you have a small or simple email setup, deploying MTA-STS may not be worth the effort.
  2. It requires up-to-date TLS support
    MTA-STS requires both the sending and receiving email servers to have up-to-date TLS support. If either the sending or receiving server does not support TLS, MTA-STS will fail, and emails will not be sent or received.
  3. It may slow down email transmission
    Since MTA-STS requires establishing an encrypted connection between email servers, it may slow down email transmission. This slowdown can be especially noticeable if you're sending a lot of emails at once.
  4. It may not be compatible with all email clients
    MTA-STS may not be compatible with all email clients, particularly older or less common ones. If your organization uses email clients that do not support MTA-STS, it may not be worth deploying.

How to deploy MTA-STS?

If after considering the pros and cons, you decide to deploy MTA-STS, here's how you can do it:

  1. Create the MTA-STS Policy record
    The first step to deploying MTA-STS is to create a DNS record that specifies the TLS encryption policy. This record should include the version of TLS to use, whether to require valid certificates, and the lifespan of the policy. You can use an MTA-STS policy generator tool to create this record.
  2. Test the MTA-STS Policy record
    Once the MTA-STS Policy record is created, you should test it to ensure it's working correctly. You can use an MTA-STS test tool to validate the configuration by checking if the receiving email server can establish an encrypted connection with the sending email server.
  3. Enable MTA-STS in the email server
    The final step is to enable MTA-STS in the email server by configuring it to query for the recipient's MTA-STS policy record and enforce the TLS encryption policy.

In conclusion, MTA-STS can provide several benefits by ensuring secure email transmission and protecting against impersonation attacks. However, before deploying MTA-STS, organizations should consider the added complexity, up-to-date TLS support, and potential email transmission slowdown. If you decide to deploy MTA-STS, follow the steps outlined above to create and test the MTA-STS Policy record and enable it in the email server.

« Return to "CUSG Blog Corner"