MTA-STS

Also known as: Mail Transfer Agent Strict Transport Security, SMTP MTA Strict Transport Security

A rule that forces other mail servers to deliver email to you over an encrypted, verified connection — stopping messages from being quietly intercepted in transit.

What it is

MTA-STS (Mail Transfer Agent Strict Transport Security) is a policy you publish for your domain that tells other mail servers: “only deliver email to me over a properly encrypted, verified connection — and if you can’t, don’t deliver it insecurely instead.”

By default, email between servers tries to use encryption but will quietly fall back to sending in the clear if anything goes wrong. MTA-STS removes that silent fallback for mail coming to you.

Why it matters to your business

The weakness it closes is subtle. An attacker positioned between two mail servers can tamper with the hand-off so the connection drops to unencrypted — and then read or alter the email as it passes. Neither sender nor recipient sees a thing.

For a business, the email arriving at your domain can include invoices, contracts, password resets and customer details. MTA-STS makes sure incoming mail is delivered over a genuinely secure connection or not at all, closing a quiet interception route. It works best paired with TLS-RPT, which reports any delivery problems so you can spot trouble.

How to tell / what to do

Our free checker tells you whether your domain publishes an MTA-STS policy. Setting one up involves a small DNS entry plus a short policy file hosted on your domain — a task for whoever manages your email and DNS. It’s free, and once in place it runs automatically in the background.