Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 795

MTA-STS

Reviewed byCybersecurity entrepreneur & security researcher

What is MTA-STS?

MTA-STSAn email security mechanism defined in RFC 8461 that lets a domain require TLS for inbound SMTP and pin a list of trusted MX hostnames, defeating downgrade and STARTTLS-stripping attacks.


MTA Strict Transport Security (MTA-STS), specified in RFC 8461, lets a domain publish a TXT record at _mta-sts.example.com and an HTTPS-fetched policy at https://mta-sts.example.com/.well-known/mta-sts.txt declaring required TLS, allowed MX hostnames, and a mode (none, testing, enforce). Sending MTAs cache the policy and, when in enforce mode, refuse to deliver mail if STARTTLS, certificate validation, or MX matching fails. MTA-STS complements DANE/TLSA for operators without DNSSEC and addresses opportunistic-TLS weaknesses where active attackers strip STARTTLS or present rogue certificates. SMTP TLS Reporting (RFC 8460) provides daily JSON reports of TLS failures to monitor coverage and incidents.

Examples

  1. 01

    Publishing an enforce-mode policy that limits inbound SMTP to mx1.example.com and mx2.example.com over TLS 1.2+.

  2. 02

    Receiving daily TLSRPT reports showing zero TLS failures after a successful MTA-STS rollout.

Frequently asked questions

What is MTA-STS?

An email security mechanism defined in RFC 8461 that lets a domain require TLS for inbound SMTP and pin a list of trusted MX hostnames, defeating downgrade and STARTTLS-stripping attacks. It belongs to the Network Security category of cybersecurity.

What does MTA-STS mean?

An email security mechanism defined in RFC 8461 that lets a domain require TLS for inbound SMTP and pin a list of trusted MX hostnames, defeating downgrade and STARTTLS-stripping attacks.

How do you defend against MTA-STS?

Defences for MTA-STS typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for MTA-STS?

Common alternative names include: MTA Strict Transport Security.

Related terms