I’m not going to beat around the bush, this blog is going to be technical. So, if you’re reading this late at night, it might be that the main thing you’ll get out of this article is a good night’s sleep.
MTA-STS is an acronym that not many have come across - and for good reason! In this internet age, memes travel fast, and security standards travel slow. MTA-STS has only been around since 2018 (RFC 8461) which means it’s basically a toddler in the eyes of the world. Just look at DMARC, it’s over 10 years old but only now is there any buzz about it.
Short for Message Transfer Agent Strict Transport Security, MTA-STS has been designed to ensure that email communications are conducted via the encrypted tunnel.
“Isn’t that what TLS is for?” Well yes, but also, no.
TLS (Transport Layer Security) is the cryptographic protocol which essentially provides security over the communication channels for the internet. In other words, email messages themselves aren’t encrypted, but the transport method is.
One well known example of TLS is when you see https://, the communication with that website is secured by TLS. TLS-RPT can provide reports on whether these communications have been done successfully.
Where MTA-STS comes in is in direct relation to email communications – more specifically Simple Mail Transfer Protocol (SMTP). SMTP historically lacked robust security measures and whilst TLS was introduced to encrypt SMPT communications, it remained optional and vulnerable to DNS tampering.
MTA-STS ensures that TLS is always used and provides a mechanism for sending servers to refuse delivery to servers lacking TLS support or trusted certificates. MTA-STS also aims to bolster email security as it was developed in collaboration with M3AAWG (Messaging, Malware, and Mobile Anti-Abuse Working Group).
Still with me? Although this has been a very technical article, I’m hoping I’ve shared some useful insights into MTA-STS.