What is MTA-STS and How Does It Protect Your Emails?


Email is the biggest culprit behind most cyberattacks. It is an easy access point for malware, adware, spam, and phishing, and provides infinite opportunities for threat actors to get hold of your personal information.

To mitigate these threats, stringent security measures should be in place for both individual and business email accounts.

Email Security and Encryption

Despite the popularity of other modes of communication, email messaging is still the largest form of data in transit for any individual or organization. Securing your email contents is a vital necessity.

Email security entails the inspection and encryption of all incoming and outgoing email traffic. Encryption plays a vital role in keeping the privacy of email contents intact by ensuring secure SMTP (Simple Mail Transfer Protocol) connections.

Until recently, encryption was only an optional requirement for SMTP.

How Does Email Encryption Work?

Email encryption is a process of adding a cipher or piece of code to your message content making it indecipherable. By converting email data into code, the contents are protected from unauthorized exposure. Simply put, your email is scrambled.

Two different looking keys

As an added security, the encryption process utilizes public and private keys where encrypted keys are exchanged to lock and unlock the coded emails. The sender encrypts the email using public-key cryptography and subsequently, the recipient uses a private key to decipher the received message.

Encryption is applied to the entire journey of an email, from start to finish. As a best practice, all inbound and outbound emails should be encrypted—not just the ones carrying sensitive information. This prevents the threat actors from gaining any entry point into your system.

A Background and Issues with SMTP

When the SMTP protocol came into existence in 1982, email encryption was not a common practice and by default, emails were sent and received in plain text. To introduce security at the transport level, the STARTTLS command was added in the late 1990s, which offered the encryption option through the TLS (Transport Layer Security) protocol.

As promising as the TLS upgrade sounded, it left two security loopholes intact:

  1. The encryption option was just that: optional. Non-secure emails were still rampant, causing a spike in cyber attacks.
  2. Even with the STARTTLS in place, there was no way to authenticate the identity of the sender’s server since SMTP servers do not validate certificates.

The Arrival of MTA-STS

In 2019, Google finally stepped up to the plate and announced the adoption of the new MTA-STS (Mail Transfer Agent/Strict Transport Security) standard (RFC8461).

This gives the mail service providers the ability to impose TLS for securing SMTP connections and also offers the option to deny email delivery to MX hosts that do not offer TLS with a reliable server certificate.

MTA-STS finally takes care of all the previous issues with SMTP by enforcing encryption between the communicating SMTP servers. But how does it actually work? Let’s find out!

How Does MTA-STS Work?

two mail servers sending email

MTA-STS goes to work by instructing an SMTP server to only communicate with another SMTP server on two conditions:

  1. The SMTP server must be encrypted.
  2. The domain name on the server’s certificate matches the domain in the policy, and the certificates are up to date.

By using a combination of DNS and HTTPS to publish a policy, MTA-STS informs the sending party how to proceed if an encrypted channel of communication cannot be initiated.

It’s easy to implement MTA-STS on the recipient’s end but for the sender, a supporting mail server software such as ProtonMail should be used.

Related: ProtonMail: The Email Security You Need With the Features You Want

What Type of Attacks Does MTA-STS Mitigate?

The following threats are met head-on if MTA-STS is applied to your email communications:

Man-In-The-Middle (MITM) Attacks: This attack is carried out when an attacker intercedes themselves in the middle of communication between two parties to steal or alter data. In the case of an email, that would typically mean two communicating SMTP servers. By employing MTA-STS, these attacks can be easily prevented.

Downgrade Attacks: A threat actor forces a network channel to change to an insecure data transmission mode. As an example, this attack might redirect a website visitor from an HTTPS version of a site to an HTTP version. MTA-STS helps combat these attacks by preventing any unauthorized access.

DNS Spoofing Attacks: These cunning attacks change the DNS records of a user’s intended destination and fools them into believing that they are visiting a legitimate site or domain. Implementing MTA-STS greatly helps in mitigating these attacks.

Related: What Is DNS Cache Poisoning?

Now that we are familiar with the MTA-STS, it is time to touch base with a new reporting standard for SMTP known as TLS reporting.

What is SMTP TLS Reporting (TLS-RPT)?

Just like MTA-STS, TLS-RPT is a reporting standard that detects connectivity issues and discrepancies between sending applications. Once enabled, it sends daily reports regarding any connection problems experienced by external servers while sending you emails.

Think of it as a troubleshooting tool where the reports can be used to gauge and triage potential problems and configuration issues.

What Type of Issues Does TLS-RPT Resolve?

Reports and Stats

Diagnostic Reporting: TLS reporting offers diagnostic reports in JSON file format containing comprehensive details regarding any inbound emails facing delivery issues. It also detects emails that bounced or did not deliver due to a downgrade attack, for instance.

Improved Visibility: By enabling TLS-RPT, you can improve visibility on all your email channels. This allows you to keep an eye on all the data that is heading your way, which also includes failed messages.

Daily Reports: The diagnostic reports are sent at least once a day to cover and observe the MTA-STS policies in depth. The reports also include traffic statistics as well as detailed information on errors and failed deliveries.

When All Else Fails, Encryption Prevails

Due to the continuously evolving nature of cyber threats, stringent security measures and cryptography are must-haves for safe and secure email delivery.

Thanks to the various email providers offering strong encryption capabilities and the MTA-STS standards, fully secure email transfers are not a far-fetched reality anymore.


The 5 Most Secure and Encrypted Email Providers

Fed up with government and third-party surveillance of your emails? Protect your messages with a secure encrypted email service.

About The Author


Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *