What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) is a published policy that tells other mail servers they must use an encrypted, properly-certified connection when delivering email to your domain — and must refuse to fall back to an unencrypted one:

  • The gap it closes — without it, the encryption between mail servers is opportunistic, and an attacker positioned in the middle can quietly strip it and read mail in transit.
  • The rarest control an email scanner checks — just 1% of Australian small business domains publish an MTA-STS policy*.
  • A genuinely advanced step — worth doing once SPF, DKIM and an enforcing DMARC policy are all in place, not before.
  • It needs setup help — a policy file served over HTTPS plus a DNS record, so it usually wants help from whoever manages your domain.

MTA-STS is the last 5% of email hardening — get SPF, DKIM and DMARC enforcing first; this is for afterwards.