What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a published policy that tells other mail servers they must use an encrypted, properly-certified connection when delivering email to your domain — and must refuse to fall back to an unencrypted one:
- The gap it closes — without it, the encryption between mail servers is opportunistic, and an attacker positioned in the middle can quietly strip it and read mail in transit.
- The rarest control an email scanner checks — just 1% of Australian small business domains publish an MTA-STS policy*.
- A genuinely advanced step — worth doing once SPF, DKIM and an enforcing DMARC policy are all in place, not before.
- It needs setup help — a policy file served over HTTPS plus a DNS record, so it usually wants help from whoever manages your domain.
MTA-STS is the last 5% of email hardening — get SPF, DKIM and DMARC enforcing first; this is for afterwards.