The Alarming MTA-STS Gap
A recent scan of the top 10,000 domains revealed a staggering 97.8% lack a properly configured Mail Transfer Agent Strict Transport Security (MTA-STS) policy. This isn't a minor oversight; it represents a critical vulnerability in email security, impacting the vast majority of the internet's most-visited sites. For comparison, only a third of these domains were found to be missing DMARC, a commonly discussed email authentication standard. The absence of MTA-STS is nearly three times more prevalent, yet it garners significantly less attention.
MTA-STS is designed to prevent email downgrade attacks. Normally, when one mail server sends a message to another, it attempts to establish a secure TLS connection using STARTTLS. However, if this upgrade fails, the servers often default to sending the email in plaintext. An attacker positioned between these servers can intercept the connection, strip the STARTTLS offer, or present a fraudulent certificate. The sending server, unaware of the compromise, proceeds with the unencrypted transfer, exposing sensitive information.
MTA-STS enforces a policy that dictates mail servers must use TLS when communicating with a specific domain. It requires domain owners to publish a policy file in DNS that specifies which servers are authorized to receive mail, and that all connections must be encrypted. This policy also dictates that if a secure connection cannot be established, the mail must be rejected, not delivered in plaintext.

Understanding MTA-STS and Its Protection
MTA-STS operates by leveraging DNS records and a policy file. When a mail server, let's call it Server A, prepares to send an email to a domain (Domain B), it first queries DNS for Domain B's MTA-STS policy. This policy, published by Domain B's administrators, specifies the mail servers authorized to receive mail for Domain B and mandates the use of TLS for all incoming connections. It also defines a reporting mechanism, allowing Domain B's administrators to be notified of any connection failures, including those where a server attempted to deliver mail without TLS.
Crucially, MTA-STS requires that if a mail server (Server A) cannot establish a secure TLS connection with Domain B's designated mail servers, it must reject the email entirely. This prevents attackers from intercepting and downgrading the connection to plaintext. Without MTA-STS, the default behavior is often to proceed with plaintext delivery, making the email susceptible to eavesdropping and man-in-the-middle attacks.
The implications are significant. Sensitive information, including login credentials, financial data, personal communications, and proprietary business information, can be intercepted if transmitted over unencrypted connections. This not only violates user privacy but also exposes organizations to data breaches and reputational damage.
Implementing MTA-STS: A Two-Step Process
Fortunately, implementing MTA-STS is a straightforward process that involves two primary steps:
- Publish a DNS TXT Record: The first step is to create a DNS TXT record for your domain. This record should point to the location of your MTA-STS policy file. The record typically looks like this:
_mta-sts.yourdomain.com. IN TXT "v=STSv1; id=20230915T100000Z". The `id` field should be a unique, timestamped identifier that you will update whenever you change your policy. - Create an MTA-STS Policy File: Next, you need to create a policy file named
mta-sts.txtand host it on a secure web server at the address indicated by your DNS TXT record (e.g.,https://mta-sts.yourdomain.com/.well-known/mta-sts.txt). This file specifies the policy details. A basic policy might look like this:
version: STSv1
mode: enforce
max_age: 86400
reporting-mta: dns;
email: mailto:mta-sts-reports@yourdomain.com
policy:
yourdomain.com:
mx:
- mx.yourdomain.com
- backupmx.yourdomain.com
tls_domains:
- mail.google.com
- smtp.mail.yahoo.com
The mode: enforce directive is critical. It tells receiving mail servers that they must use TLS and reject any mail that arrives over an unencrypted connection. The max_age directive specifies how long receiving servers should cache this policy, typically set to 24 hours (86400 seconds). The reporting-mta and email fields enable reporting, which is vital for monitoring policy effectiveness and identifying potential issues.
The policy section lists the mail servers (MX records) that should be used for receiving mail for your domain, and tls_domains specifies other domains whose mail servers you expect to connect to securely. It is essential to list all your MX records accurately in the policy.

Why So Many Domains Are Missing This
The widespread absence of MTA-STS is puzzling, especially given its critical role in email security. Several factors likely contribute to this oversight:
- Lack of Awareness: MTA-STS is not as widely discussed or understood as DMARC, DKIM, or SPF. Many domain administrators may simply be unaware of its existence or its importance.
- Perceived Complexity: While the implementation is not overly complex, the initial setup involving DNS records and hosting a policy file can seem daunting to those less familiar with email infrastructure.
- Opportunistic Encryption Reliance: Many administrators might assume that STARTTLS is sufficient, not realizing the vulnerability of opportunistic encryption and the risk of downgrade attacks. They may believe that since most mail servers *try* to use TLS, it's effectively secure.
- Focus on Other Standards: With the ongoing emphasis on DMARC, DKIM, and SPF for email authentication and anti-spoofing, MTA-STS may be deprioritized.
- Reporting and Monitoring Gaps: Even if a policy is published, without proper monitoring of the reports generated, administrators might not realize their policy is not being enforced or that connections are still happening insecurely.
The current state of MTA-STS adoption is a clear indicator that the internet community has a significant blind spot when it comes to securing the transport layer of email. This gap leaves a vast number of users and organizations exposed to risks that are preventable with a relatively simple configuration change.
The Path Forward: Encouraging Adoption
Given that 97.8% of top domains are failing to implement MTA-STS, a concerted effort is needed to raise awareness and simplify adoption. Email providers, security researchers, and industry bodies should collaborate to:
- Educate Administrators: Develop clear, accessible guides and resources explaining MTA-STS, its benefits, and implementation steps.
- Integrate into Tools: Incorporate MTA-STS checks and configuration wizards into DNS management panels, web hosting services, and email security platforms.
- Promote Best Practices: Highlight successful MTA-STS implementations and encourage peer-to-peer learning within the developer and sysadmin communities.
- Standardize Reporting: Ensure that reporting mechanisms are robust and easy for administrators to interpret, facilitating proactive management of their MTA-STS policies.
Until MTA-STS adoption significantly improves, the security of email transport remains fundamentally compromised for the vast majority of users. Being part of the 2.2% who have implemented this policy is not just good practice; it's a necessity for protecting sensitive email communications.
