MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS (RFC 8461) is a mechanism that allows email domains to declare a policy requiring that inbound SMTP connections to their mail servers use TLS and present a valid [[ssl-tls|certificate]]. The policy is published via a DNS TXT record pointing to an HTTPS-served policy file, and sending mail servers that support MTA-STS will fetch and cache the policy before delivering mail. MTA-STS prevents opportunistic TLS downgrade attacks — where attackers intercept SMTP traffic and strip encryption — and complements [[dane|DANE]] as an alternative that does not require [[dnssec|DNSSEC]]. Implementing MTA-STS alongside [[dmarc|DMARC]] and [[spf-record|SPF]] significantly hardens an organization's email security posture.