MTA-STS
A standard that lets a domain owner declare that incoming mail must be delivered over TLS, with policies hosted over HTTPS rather than DNS.
Definition
MTA-STS (SMTP MTA Strict Transport Security, RFC 8461) is a standard that lets a domain owner declare that all inbound mail to their domain must be delivered over TLS, with valid certificates that match the receiving server hostname. Without MTA-STS, SMTP TLS is opportunistic and trivially defeated by an attacker who can intercept the connection and strip the STARTTLS command. MTA-STS protects against this downgrade attack by binding the TLS requirement to the recipient domain, not just the connection in flight.
How it works
MTA-STS uses two components. First, a DNS TXT record at _mta-sts.<domain> declares the policy version and acts as a discovery beacon. Second, an HTTPS-hosted policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt contains the actual policy: a list of allowed MX hostnames and a mode of none, testing, or enforce. Sending servers fetch and cache this policy (typically for the max_age declared in the file, often 86400 seconds), then refuse delivery if the receiving MX presents an invalid certificate or refuses STARTTLS.
MTA-STS is often paired with TLS-RPT (TLS Reporting, RFC 8460), which provides a feedback channel for sending servers to report TLS failures back to the receiving domain. Together, the two protocols give a domain owner both enforcement (MTA-STS) and visibility (TLS-RPT).
Example
_mta-sts.example.com:v=STSv1; id=20260424T120000Z;The HTTPS-hosted policy file at
https://mta-sts.example.com/.well-known/mta-sts.txt:version: STSv1
mode: enforce
mx: mail.example.com
mx: *.example.com
max_age: 86400Senders fetch this file once and cache it for 24 hours, then refuse delivery to any MX not listed or any MX that fails certificate validation.
Related Terms
Automate your DMARC
DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.
Start free trial