TLS
MTA-STS: enforcing TLS for inbound mail
Without MTA-STS, SMTP TLS is opportunistic and vulnerable to downgrade attacks. MTA-STS publishes a policy that turns TLS into a hard requirement.
How the policy is published
MTA-STS uses two records: a TXT record at _mta-sts.<domain> announcing a policy ID, and an HTTPS-fetched policy file at https://mta-sts.<domain>/.well-known/mta-sts.txt with the actual rules (mode, mx, max_age).
Modes
testing observes failures without enforcement; enforce refuses delivery when TLS fails. Start at mode: testing for at least max_age seconds (typically 86400 = 1 day) so senders learn the policy without breaking mail, then move to enforce.
Pairing with TLS-RPT
Pair MTA-STS with TLS-RPT (_smtp._tls.<domain>) so senders email you when TLS fails. Without TLS-RPT you have no visibility into delivery failures caused by your own policy.
Frequently asked questions
- Does MTA-STS affect outbound mail?
- No — it only affects mail coming into your domain. The policy tells other senders how to deliver to you.