SMTP MTA Strict Transport Security — a policy mechanism by which a recipient domain declares that mail sent to its servers must use authenticated TLS. Sending MTAs that support MTA-STS fetch the policy and enforce TLS encryption with valid certificate verification when delivering mail. The mechanism uses two coordinated components: a DNS TXT record at _mta-sts.example.com signaling policy presence, and a policy file served over HTTPS at mta-sts.example.com/.well-known/mta-sts.txt that declares authorized MX hosts, mode, and cache duration. MTA-STS protects against the downgrade attacks and DNS-based MX redirection that opportunistic STARTTLS cannot.
The problem MTA-STS solves
SMTP was originally specified in 1982 with no encryption. TLS was added later via the STARTTLS extension (RFC 3207, 2002), but with a fundamental limitation: STARTTLS is opportunistic. The sending and receiving servers negotiate whether to use TLS during the SMTP handshake, and if either side claims TLS is unavailable, the message flows in plaintext. Two attack vectors exploit this:
- STARTTLS stripping (downgrade attack). An attacker positioned in the network path between sender and receiver intercepts the receiver's response to the sender's
EHLOand removes the250-STARTTLSline. The sender now believes the receiver doesn't support TLS and sends in plaintext. The attacker captures or modifies the message in transit. Both endpoints have no signal that TLS was even possible. - MX redirection via DNS spoofing. An attacker manipulates the DNS response for the sender's
MXlookup, replacing the legitimate MX target with an attacker-controlled mail server. The attacker presents a valid TLS certificate for their own domain, the sending server happily encrypts, the attacker copies/modifies the message, and forwards it to the real MX. STARTTLS doesn't catch this because the attacker's TLS connection is itself valid.
MTA-STS addresses both. By publishing an out-of-band policy fetched over HTTPS, the recipient domain tells the world: "Mail to me must use TLS, with a valid certificate matching one of these MX hostnames." A sending MTA that supports MTA-STS will refuse to deliver in plaintext when the policy mode is enforce — even if STARTTLS appears stripped, even if the MX response was spoofed, the cached policy provides the authoritative list of expected MX targets and the requirement to verify TLS certificates against them.
How MTA-STS works — the dual DNS+HTTPS architecture
MTA-STS is unusual among email authentication standards because it requires two coordinated components: a DNS TXT record signaling policy presence, and an HTTPS-served policy file that contains the actual rules. Both must be operational; either one missing or broken means the policy is effectively absent from the perspective of sending MTAs.
The two components serve different roles. The DNS TXT record is small, fast to fetch, and contains a version id that changes whenever the policy changes. The HTTPS policy file is the authoritative document containing the actual list of MX hosts, mode, and cache duration. Sending MTAs that have already fetched a policy don't re-fetch the HTTPS file on every message — they only re-fetch when the DNS TXT record's id value differs from what they last saw, or when their cache has expired (after max_age seconds).
The DNS TXT record
The HTTPS policy file
The three modes — none, testing, enforce
MTA-STS defines three policy modes, each with different operational semantics. The standard rollout sequence is testing → enforce, with none reserved as the explicit way to retire a previously-published policy. Skipping testing mode is the most common cause of post-deployment delivery loss.
none mode: none
Explicitly declares no MTA-STS policy. Used to remove a previously-published policy without abruptly leaving cached policies in place. Sending MTAs that re-fetch see mode: none and treat the domain as having no policy — they don't enforce TLS based on cached older policies.
testing mode: testing
The required first step in any MTA-STS deployment. Sending MTAs perform full TLS verification (certificate, hostname, MX policy match) but deliver the message regardless of result. Failures are reported via TLS-RPT for monitoring. Allows a 2-4 week observation period to identify legitimate senders that would fail enforce mode.
enforce mode: enforce
The production enforcement mode. Sending MTAs reject delivery (treat as transient failure, retry later) when TLS verification fails: no STARTTLS offered, certificate invalid, hostname mismatch, MX not in policy. Failures still appear in TLS-RPT. Skipping testing mode causes legitimate mail loss.
enforce mode on day one, expecting it to work like enabling SPF or DKIM. Within hours, they're seeing delivery delays from senders that have certificate or MX configuration mismatches the team didn't know about — and only TLS-RPT reports show what's happening, but TLS-RPT also wasn't deployed. Production rollout always starts with mode: testing + TLS-RPT, runs for at least 2-4 weeks, and only advances to enforce after the failure rate hits zero or near-zero.
Adoption in 2026 — the data
Despite being defined in 2018 and supported by Gmail, Microsoft, and Yahoo for outbound mail, MTA-STS adoption remains in single digits across the broader internet. The growth curve is upward but slow. Public-sector mandates (UK NCSC, US CISA) have pushed government domains well above the average, while regulated industries like banking lag despite the obvious need.
(URIports, January 2026)
(2024 → 2026)
(4 of 5)
(NCSC mandate-driven)
(95.2% gap despite SWIFT exposure)
A/AAAA at policy host
The interpretation: organizations that adopt MTA-STS mostly get it right (high deployment-correctness rate), but most organizations don't adopt it at all. The barrier isn't technical complexity — it's that the protection MTA-STS offers is invisible to most operators until they investigate transport-layer attacks specifically. SPF/DKIM/DMARC have visible payoff (DMARC reports, deliverability impact). MTA-STS protects against attacks most teams have never seen evidence of, even though those attacks are happening.
MTA-STS vs DANE — when to use which
DANE (DNS-based Authentication of Named Entities, RFC 7672) is the alternative transport-security mechanism, predating MTA-STS but adopted less widely because of its DNSSEC dependency. The two are not mutually exclusive — domains with DNSSEC can publish both. The choice is determined primarily by whether you have DNSSEC.
| Dimension | MTA-STS (RFC 8461) | DANE/TLSA (RFC 7672) |
|---|---|---|
| Trust mechanism | HTTPS policy fetch + Web PKI certificate validation | TLSA records signed by DNSSEC; binds cert directly to DNS |
| DNSSEC required? | No | Yes (mandatory) |
| Trust-on-first-use weakness | Yes — first fetch can be spoofed | No — DNSSEC authenticates from start |
| Self-signed certs allowed | No — must validate against PKIX trust chain | Yes — TLSA can bind any cert |
| Built-in testing mode | Yes — mode: testing |
No — DANE is binary on/off |
| Caching architecture | Sender caches HTTPS policy for max_age | No caching — every delivery checks DNSSEC TLSA |
| Policy update visibility | DNS TXT id changes signal re-fetch needed | TLSA records are authoritative; resolvers respect TTL |
| Adoption among major receivers | Gmail, Microsoft, Yahoo all support outbound | Mainly EU ecosystem; Postfix-heavy environments |
| Practical deployment barrier | Need HTTPS policy host + valid cert | Need DNSSEC-signed zone (high barrier) |
Safe deployment — the testing → enforce migration
The standard rollout sequence is non-negotiable: any domain that goes straight to enforce mode is risking delivery loss. The sequence below is the production-grade pattern based on RFC 8461 guidance and operational experience from large mail operators.
Inventory MX hosts and verify TLS certs
Document every MX host listed in your DNS. Verify each has a valid TLS certificate (TLS 1.2+, valid hostname match, valid chain). Use openssl s_client -connect mx1.example.com:25 -starttls smtp to inspect certs hop by hop. Identify any MX hosts with self-signed certificates, expired certs, or hostname mismatches — these will fail under enforce.
Set up the policy host
Create A/AAAA record at mta-sts.example.com pointing to a webserver (or use a hosted MTA-STS provider — covered below). Provision a TLS certificate for that hostname. Place the policy file at /.well-known/mta-sts.txt. Verify with curl -I https://mta-sts.example.com/.well-known/mta-sts.txt — must return 200 OK, no redirects.
Publish policy with mode: testing + TLS-RPT
Policy file declares mode: testing. Simultaneously publish TLS-RPT TXT record at _smtp._tls.example.com pointing to your reporting endpoint. Publish DNS TXT at _mta-sts.example.com with v=STSv1; id=<timestamp>. From this moment, sending MTAs that support MTA-STS begin observing your policy and reporting via TLS-RPT.
Monitor TLS-RPT for 2-4 weeks
Daily TLS-RPT reports arrive in JSON. Aggregate by failure type: certificate-expired, tls-required-but-not-supported, policy-mismatch, certificate-name-mismatch. The expected end state is zero or near-zero failures from legitimate senders. Investigate any persistent failure — usually traces to a specific MX host with bad cert configuration, or a wildcard pattern in the policy that doesn't match actual MX hostnames.
Resolve every TLS-RPT failure category
Common fixes at this stage: replace expired/mismatched certificates, update policy mx: lines to include all real MX hostnames, switch from CNAME to direct A/AAAA on MX records (Microsoft compatibility), increase max_age from initial conservative value to 604800 (7 days). Each fix triggers an id bump on the TXT record and a re-fetch by senders.
Update policy to mode: enforce
Update the HTTPS policy file first (change mode: testing to mode: enforce). Wait for HTTPS cache to clear (5 minutes typical). Then update the DNS TXT id value to signal re-fetch. Senders pick up the new policy within their existing cache TTL or sooner if the id change triggers immediate re-fetch.
Continuous monitoring and quarterly audit
TLS-RPT continues to report. Set up alerting on any non-zero failure rate. Audit quarterly that the policy mx: lines still match actual MX hostnames after any infrastructure changes. Renew certificates ahead of expiration with at least 30 days buffer — expired cert on a single MX host fails MTA-STS for all mail to that host.
Hosted MTA-STS vs self-hosted policy
The HTTPS policy host is the operationally annoying piece of MTA-STS deployment. It needs a webserver, a TLS certificate, monitoring, and ongoing maintenance — all to serve a small static text file that rarely changes. Two deployment patterns exist:
| Pattern | Setup | Operational burden | Trade-off |
|---|---|---|---|
| Self-hosted | Your own webserver at mta-sts.example.com with valid TLS cert and policy file | Webserver maintenance, cert renewal, uptime monitoring | Full control. Required if compliance forbids third-party hosting of policy data. |
| Cloudflare Workers / Lambda | Serverless function returning the policy file. Worker route or Lambda + API Gateway. | Function deployment + cert via the platform | Effectively free at MTA-STS volumes (typically <100K requests/day). Common pattern. |
| Hosted MTA-STS providers | Third-party (URIports, MxToolbox, CaptainDNS, PowerDMARC) hosts the policy file. You add CNAME at mta-sts.example.com pointing to their service. | Zero — provider handles cert, uptime, distribution | Free tiers exist for most providers. Single point of failure outside your control. |
| CDN with origin | Cloudflare, Fastly, or other CDN fronting your policy file | CDN config, but no origin webserver needed if file is in object storage | Mid-complexity; useful if you already use the CDN for other services. |
addEventListener('fetch', e => e.respondWith(new Response('version: STSv1\nmode: enforce\nmx: mx1.example.com\nmax_age: 604800\n', {headers: {'content-type': 'text/plain'}}))). Configure a worker route for mta-sts.example.com/.well-known/mta-sts.txt and Cloudflare's automatic TLS handles the cert.
Common deployment failures
The 2026 URIports survey of the Top 1M domains found that ~20% of published MTA-STS deployments have at least one operational issue. The seven most common failure modes, ordered by frequency in the survey:
Missing A/AAAA at policy host
34% of broken deploymentsTeam published the DNS TXT record at _mta-sts and the policy file, but forgot to add A/AAAA records for the mta-sts.example.com hostname. Sending MTAs can't reach the policy host. Fix: add A or AAAA records pointing to your webserver/Worker/CDN endpoint.
Invalid or expired TLS certificate
~15% of broken deploymentsPolicy host serves HTTPS but with an expired, self-signed, or wrong-hostname cert. RFC 8461 requires PKIX-validated cert matching mta-sts.example.com. Fix: use Let's Encrypt or hosted provider; auto-renew with at least 30-day buffer.
HTTP 3xx redirects from policy URL
~10% of broken deploymentsPolicy URL returns 301 or 302 redirect (e.g., HTTP-to-HTTPS redirect, or canonical hostname redirect). MTA-STS forbids following redirects. Fix: serve the policy directly at the canonical URL with 200 OK, no redirects.
Policy/MX mismatch
~8% of broken deploymentsReal MX records list hostnames not in the policy mx: lines. Common after MX changes that didn't trigger policy update. Fix: audit policy after every MX change. Use wildcards (*.mail.example.com) carefully — they match only the leftmost label.
Microsoft CNAME-on-MX failure
~5% of broken deploymentsMicrosoft Exchange Online doesn't resolve CNAMEs on MX records when MTA-STS is active — non-RFC-compliant but documented behavior. If your domain uses CNAME to alias MX, Microsoft delivery fails. Fix: list the resolved CNAME target in the policy mx: lines, or remove the CNAME and use direct A/AAAA on the MX hostname.
Wrong Content-Type header
~4% of broken deploymentsPolicy file served with application/octet-stream or HTML content-type. RFC 8461 specifies text/plain (charset utf-8 recommended). Fix: webserver MIME type config; for serverless functions, set the response header explicitly.
Stale policy after id update
~3% of broken deploymentsHTTPS policy was updated but DNS TXT id wasn't bumped. Sending MTAs check the TXT record's id; if unchanged, they keep using cached HTTPS policy until max_age expires. Fix: always update id after HTTPS policy change. Use timestamp-based id values for easy correlation.
Mismatched version directive
~2% of broken deploymentsPolicy file uses version: 1 instead of version: STSv1, or DNS TXT uses v=1 instead of v=STSv1. RFC 8461 requires the explicit "STSv1" string. Fix: validate with a syntax checker before deploying. Both DNS TXT and HTTPS policy must use STSv1.
MTA-STS in Cloud Server for Email's managed infrastructure
For clients on managed PowerMTA + MailWizz infrastructure, MTA-STS is configured during the day 1-3 onboarding sequence as part of the broader transport-security setup (alongside TLS-RPT and DANE for DNSSEC-enabled clients). The patterns we use across most accounts:
- Hosted policy via the dedicated subdomain pattern. Each client sending domain gets
mta-sts.<client-subdomain>served from our managed HTTPS infrastructure. This avoids requiring the client to set up their own webserver for what is essentially a static file. The client publishes a CNAME atmta-sts.example.compointing to our endpoint, and we handle TLS, uptime, and policy updates. - Default rollout: testing → enforce in 30 days. All new client domains start in
testingmode at day 14 (after the rest of the authentication stack is verified working), with TLS-RPT collection going to our reporting endpoint. We aggregate failures, identify any MX hosts with cert issues, fix them coordinated with the client, and advance toenforceat day 30-45. - max_age: 604800 (7 days) as the default, balancing cache effectiveness against rapid policy update propagation. Some compliance-sensitive clients prefer 86400 (1 day) for faster policy changes; we configure per-client based on requirements.
- Microsoft CNAME-on-MX awareness. Our managed infrastructure uses direct A/AAAA records on MX hostnames (no CNAMEs), so Microsoft Exchange Online's stricter interpretation isn't an issue for our outbound delivery. For clients running mixed inbound infrastructure (e.g., corporate mail at Microsoft 365, marketing at our infrastructure), we coordinate the policy
mx:lines to cover both reachability paths. - Coordinated DANE deployment for DNSSEC clients. Clients with DNSSEC-signed zones get DANE TLSA records published alongside MTA-STS, providing the strongest possible transport-security posture. Both protocols coexist correctly when configured by the same team.
- TLS-RPT monitoring with weekly review. Failures aggregated across all client domains are reviewed weekly. Most reports show zero or single-digit failures per domain per week. Any sustained failure pattern triggers investigation — usually traces to a specific receiver's intermediate gateway with deprecated TLS configuration.
Auditing your MTA-STS — practical workflow
Related concepts
- TLS-RPT — SMTP TLS Reporting (RFC 8460); the companion reporting protocol that tells you which sending MTAs successfully or unsuccessfully delivered under your MTA-STS policy. Mandatory for safe MTA-STS rollout.
- DANE/TLSA — DNS-based Authentication of Named Entities (RFC 7672); the alternative transport-security mechanism using DNSSEC. Stronger guarantees, higher deployment barrier. (Coming soon)
- STARTTLS — the SMTP TLS upgrade extension (RFC 3207); the opportunistic encryption layer MTA-STS hardens. (Coming soon)
- DNSSEC — DNS Security Extensions; required for DANE, optional but beneficial alongside MTA-STS. (Coming soon)
- SPF, DKIM, DMARC — the message-authentication layer; complementary to MTA-STS's transport-authentication layer. Both are needed for full email security posture.
Frequently asked questions
What does MTA-STS solve that STARTTLS doesn't?
STARTTLS is opportunistic encryption — sending and receiving servers negotiate TLS during the SMTP handshake, but if the negotiation fails or is stripped by an attacker, mail still flows in plaintext. An attacker positioned in the network path can delete the "250 STARTTLS" response from the receiver's EHLO answer; the sender then assumes TLS isn't supported and sends in cleartext. This downgrade attack is invisible to both endpoints. MTA-STS publishes an out-of-band policy fetched over HTTPS that says "TLS is required to deliver to my domain" — a sending MTA that complies will refuse to deliver in plaintext when the policy mode is enforce, even if STARTTLS is stripped. The policy is cached based on max_age, so the attack window is bounded only by DNS-spoofing the very first fetch.
What are the three MTA-STS modes?
none — the domain explicitly disclaims any MTA-STS policy, used to remove a previously-published policy. testing — sending MTAs attempt TLS verification but deliver the message regardless of result; failures are reported via TLS-RPT. enforce — sending MTAs reject delivery if the receiver fails TLS verification (no valid certificate, hostname mismatch, MX not in policy, or TLS not offered). The standard rollout is to publish in testing mode for 2-4 weeks while monitoring TLS-RPT for unexpected failures, then switch to enforce only when the failure rate is near zero. Skipping the testing phase is the most common cause of email delivery loss after MTA-STS deployment.
How does MTA-STS deployment actually work?
Two coordinated components must exist before sending MTAs will respect the policy. (1) A DNS TXT record at _mta-sts.example.com containing v=STSv1; id=<changing-string> — the id changes whenever the policy changes, signaling MTAs to re-fetch. (2) An HTTPS-served policy file at mta-sts.example.com/.well-known/mta-sts.txt — must respond with HTTP 200 OK (no redirects), valid TLS certificate matching the mta-sts subdomain, declaring version: STSv1, mode: testing|enforce|none, mx: lines listing authorized MX hosts (wildcards allowed for left-most label only), and max_age: seconds (recommended ≥86400). The DNS record needs an A or AAAA record at mta-sts.example.com pointing to the HTTPS server.
Should I use MTA-STS or DANE?
MTA-STS if you don't have DNSSEC; both if you do. DANE (RFC 7672) provides stronger cryptographic guarantees by binding TLS certificates directly to DNS records signed with DNSSEC, eliminating the trust-on-first-use weakness of MTA-STS. But DNSSEC adoption sits below 30% of domains because of operational complexity, key management, and registrar support gaps. MTA-STS works without DNSSEC, has wider adoption among consumer providers (Gmail, Microsoft, Yahoo all support it), and includes a built-in testing mode that DANE lacks. The two are not mutually exclusive — domains with DNSSEC can publish both DANE TLSA records and MTA-STS policy. For most production deployments without DNSSEC, MTA-STS is the practical choice.
What is the trust-on-first-use weakness in MTA-STS?
The first time a sending MTA fetches your MTA-STS policy, it has no prior cache to compare against — if an attacker has DNS-spoofed the response and serves a fake policy with mode: none or no policy at all, the sending MTA accepts that as authoritative. The TOFU window is bounded by max_age (recommended ≥86400 seconds = 1 day). After the first successful fetch, the cached policy protects against DNS-spoofing for max_age seconds. DANE doesn't have this weakness because it relies on DNSSEC for authenticated DNS responses from the start. The practical impact: MTA-STS protects against ongoing downgrade attacks but not against an adversary who controls the network at the exact moment of first policy fetch. For most threat models, the TOFU window is acceptable.
What is TLS-RPT and why is it required for MTA-STS?
TLS-RPT (RFC 8460) is the reporting mechanism that tells you which sending MTAs successfully or unsuccessfully delivered to your domain under MTA-STS or DANE policies. Daily JSON reports list policy types, MX hosts contacted, total session counts, total failure counts, and per-failure-type breakdowns (TLS negotiation failure, certificate validation failure, policy mismatch, etc.). Without TLS-RPT, you have zero visibility into whether legitimate sending MTAs are failing your policy. The standard pattern: deploy MTA-STS in testing mode + TLS-RPT on day 1, monitor reports for 2-4 weeks, fix any unexpected failures, then advance to enforce mode. Publish a TXT record at _smtp._tls.example.com with v=TLSRPTv1; rua=mailto:tls-reports@example.com to receive reports.
Why does my Microsoft 365 MTA-STS deployment fail when receivers use CNAME on MX?
Microsoft Exchange Online enforces a stricter interpretation of RFC 8461 than most MTAs: when MTA-STS is active, Microsoft does NOT resolve CNAMEs on MX records. If your receiving domain uses a CNAME to alias its MX to another hostname (common pattern for hosted mail providers and email gateways), Microsoft's outbound delivery to your domain will fail MTA-STS checks and the email won't be sent. The workaround is to list the final target hostname in your MTA-STS policy mx: lines (the resolved A/AAAA destination), even though that doesn't strictly follow the RFC. Most other senders (Gmail, Yahoo) follow CNAMEs, so the issue is Microsoft-specific. Audit your MX records and policy mx: lines together to confirm the targets are reachable when CNAMEs are not resolved.
What are the most common MTA-STS deployment failures?
Based on URIports' 2026 survey of the Top 1M domains: missing A/AAAA records at mta-sts.example.com (34% of broken deployments) — the policy host hostname must resolve over HTTPS; missing or expired TLS certificate at mta-sts.example.com (high single-digit %); HTTP 3xx redirects from the policy URL (RFC 8461 forbids); policy file served with wrong Content-Type or MIME headers; mismatched version: directive (must be STSv1); MX patterns in policy that don't match actual MX records; max_age outside recommended range. About 1 in 5 published MTA-STS deployments has at least one of these issues. Validation tools (URIports, MxToolbox, CaptainDNS) check all components in a single test.
Need MTA-STS deployed correctly without the operational burden?
Cloud Server for Email's managed infrastructure includes hosted MTA-STS for every client sending domain — testing-mode rollout with TLS-RPT collection, coordinated transition to enforce, ongoing certificate management, and weekly failure-pattern review. Skip the webserver, the cert renewal, and the deployment surveys.
Talk to engineering →