Back to ResourcesEmail Security

    MTA-STS and TLS-RPT: Closing the SMTP Encryption Gap

    SPF, DKIM, and DMARC stop spoofing of your domain. MTA-STS protects mail coming in to you from being intercepted or downgraded in transit.

    SPF, DKIM, and DMARC are the headline email security controls, and rightly so. They stop attackers from spoofing your domain to other people. What they do not address is the trip the message takes from a sender's mail server to yours. That trip still relies on a 1990s-era protocol called SMTP, and by default the encryption on it is optional. A network attacker who can sit between two mail servers can quietly strip the encryption, or redirect mail to a server they control, and neither side will notice.

    MTA-STS is the modern fix. It is a published policy that tells sending mail servers two things. Encryption is required when delivering mail to your domain. The receiving server's certificate must match an approved hostname. If either condition fails, the sending server refuses to deliver in plaintext. TLS-RPT is the companion reporting standard. It gives you a daily summary from Google, Microsoft, Yahoo, and other large providers showing whether anyone tried and failed to deliver mail to you securely.

    What MTA-STS actually protects against:

    • Downgrade attacks where a network attacker strips STARTTLS and forces plaintext delivery.
    • DNS spoofing that redirects mail to an attacker-controlled server with a mismatched certificate.
    • Silent misconfigurations where your own MX records or certificates break TLS without anyone noticing.

    What it does not do:

    • It does not protect mail you send out. That is on the receiving side.
    • It is not a replacement for SPF, DKIM, or DMARC. It complements them.
    • It does not encrypt the message contents end to end. For that you need S/MIME or a similar control.

    A safe rollout looks like this. Publish the policy in testing mode first, with TLS-RPT enabled, and watch the reports for two to four weeks. Testing mode means failures are reported but mail still delivers, so you cannot accidentally block legitimate senders while you are validating your setup. Once the reports are clean, promote the policy to enforce mode and bump the cache lifetime. From that point, every major mail provider will refuse to deliver mail to you over an insecure or misconfigured connection.

    MTA-STS is one of those controls that costs almost nothing to deploy and shows up immediately on enterprise vendor security questionnaires and cyber insurance reviews. For a Ventura County small business with Microsoft 365 or Google Workspace, the rollout is straightforward and the protection is real.

    Realm Defense helps small businesses publish, monitor, and enforce MTA-STS and TLS-RPT alongside their existing SPF, DKIM, and DMARC setup. Reach out for an email security review.