MTA-STS
Learn what it is, how it enforces encrypted email delivery over TLS, and how DMARCeye supports stronger, end-to-end email security.
What Is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security standard that ensures messages are transmitted securely over encrypted channels (TLS) between mail servers.
In short, MTA-STS prevents attackers from intercepting or tampering with messages while they’re in transit. It helps guarantee that email exchanges occur only over secure, authenticated connections, protecting attacks that could expose sensitive data.
How MTA-STS Works
When one mail server sends a message to another, it typically uses the Simple Mail Transfer Protocol (SMTP). SMTP can use encryption via STARTTLS, but by default, it’s opportunistic, meaning encryption isn’t enforced if the receiving server doesn’t support it.
MTA-STS changes this by introducing a published policy that tells other mail servers to require TLS when delivering messages to your domain. Here’s how it works:
- You publish an MTA-STS DNS record (a TXT record at
_mta-sts.[yourdomain.com]) indicating that MTA-STS is enabled. - You host an MTA-STS policy file on a secure HTTPS endpoint (e.g.,
https://mta-sts.[yourdomain.com]/.well-known/mta-sts.txt). - Sending servers check that policy before delivering mail. If the policy enforces strict TLS and they can’t establish a secure connection, delivery is deferred or rejected instead of sent in plaintext.
This ensures that your domain’s incoming mail is always protected during transit.
Why MTA-STS Is Important for Email Security
While SPF, DKIM, and DMARC protect against identity spoofing, they don’t encrypt the message itself. MTA-STS adds that missing layer by ensuring confidentiality and integrity in transmission.
It’s especially valuable for organizations that handle sensitive data, such as financial institutions, healthcare providers, and government entities. MTA-STS helps:
- Prevent email interception or tampering
- Enforce modern encryption standards
- Increase sender confidence and compliance with security frameworks
Together with TLS-RPT (SMTP TLS Reporting), MTA-STS also provides visibility into failed secure delivery attempts.
MTA-STS and DMARCeye
While DMARCeye focuses on authentication and identity protection, it complements transport-level security mechanisms like MTA-STS.
Through its reporting and analytics, DMARCeye helps organizations verify that their authentication infrastructure is healthy and aligned before adding advanced protections such as MTA-STS.
When combined, DMARC and MTA-STS create a stronger email security posture — authenticating senders, enforcing encryption, and ensuring that legitimate mail remains both trusted and secure in transit.
Sign up for a free trial of DMARCeye today and secure your email domain
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.