SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.
These days, most domains have properly secured email (MX) servers that support TLS. However, without DANE or MTA-STS, this communication security is opportunistic and vulnerable to MiTM downgrade attacks.
Publishing an (enforced) MTA-STS policy declares that all inbound email communication should be secure and no emails should be delivered over an insecure connection.
Set up MTA-STS
Setting up an MTA-STS policy is pretty straightforward; publish a TXT DNS record, set up a secure webserver for subdomain
mta-sts and add an
mta-sts.txt file to that subdomain's
.well-known folder with your policy.
While setting this up might take just an hour for a seasoned administrator, it also requires that web certificates are renewed on time and MX records are checked for updates and issues.
URIports is here to make publishing an MTA-STS policy a breeze. By adding just two CNAME records to your domain's DNS, URIports will publish an RFC-compliant MTA-STS policy using the latest best practices and periodically validate your policy and email setup. It doesn't get any easier than this and upgrades your email security substantially.
Hosted MTA-STS is included at no extra charge in our Pebble Plus, Stone, Mountain, and Himalaya subscriptions.
Before enforcing an MTA-STS policy, it is recommended to validate that your domain's email servers support TLS and have proper TLS certificates that match the MX hostnames. You can use our free validation tool here to check if your domain is MTA-STS ready.