MTA-STS

What is MTA-STS?

MTA-STS is a protocol that enables mail servers to secure email transmissions by establishing a policy for TLS encryption. When an email server connects to another server, it can check for the presence of an MTA-STS policy and use it to determine whether to encrypt the connection.

MTA-STS addresses the problem of "man-in-the-middle" attacks, where an attacker intercepts email messages and tries to read or modify them. By encrypting email messages with TLS, MTA-STS can help prevent these attacks.

The mechanism works by hosting a text file on a particular URL that lists the authorized mail servers. It then relies on TLS certificates to authorize the servers for the domains used. To see MTA-STS in action, open the following URL in a web browser:

https://mta-sts.google.com/.well-known/mta-sts.txt

The MX servers in this file are the same as those in the DNS MX records. The server behind smtp.google.com must provide a certificate (via StartTLS) valid for that domain and signed by a well-known certificate authority (just like the SSL/TLS certificates used by websites).