Increase SMTP security and stop man-in-the-middle attacks with MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email standard that enables the encryption of messages being sent between two mail servers. It improves the security of the SMTP protocol by specifying to sending servers that emails can only be sent over a Transport Layer Security (TLS) encrypted connection which prevents emails from being intercepted by cybercriminals.

Google and Microsoft both support MTA-STS and TLS-RPT.

In this blog article, we’ll walk you through the steps required to manually deploy MTA-STS. (Spoiler alert: there’s an easier way to deploy the MTA-STS protocol. Scroll down to the bottom of this post to find out more.)

Deploying MTA-STS

Deploying MTA-STS is relatively straightforward once you understand the components involved. Here’s an overview of what we’ll cover:

  1. Draft and publish the policy on a public, secured web server
  2. Enable SMTP TLS-RPT via a TXT record
  3. Signal MTA-STS support via a TXT record

Before you start the deployment (if you manage your own email server), make sure your MX records accept inbound TLS connections, the servers in your MX records use TLS version 1.2 or later, and that the MX server TLS certificates:

  • Match the domain name used by the inbound mail server (the server in your MX records)
  • Are signed and trusted by a root certificate authority
  • Are not expired

These last three go hand in hand and are very likely already managed by your email host, such as Google and Microsoft. You should only have to worry about them if you host your own mail server.

1. Draft and publish the policy on a public, secured web server

Now, to start the deployment, we will proceed to draft the policy. The policy itself is pretty straightforward. Here’s a sample policy:

     version: STSv1
     mode: testing
     mx: redsift-com.mail.protection.outlook.com
     mx: *.mail.protection.outlook.com
     max_age: 604800

The important bits are mode, mx and max_age, as version will (for now) always be the same.

Mode can be none, testing or enforce

  • none disables MTA-STS.
  • testing tells external servers sending to you to evaluate the policy, requests reports (via TLS-RPT) but does not enforce connection security required by MTA-STS.
  • enforce tells external servers to verify they’re connecting to an MX listed in the policy, and the SMTP connection is both encrypted (using TLS) and authenticated (that the server has a valid, signed certificate).

If the connection is not both encrypted and authenticated:

  • Servers that support MTA-STS will not send mail to your domain.
  • Servers that don’t support MTA-STS continue to send messages to your domain over SMTP connections as they normally do, but they may not be encrypted.

We recommend keeping the policy in testing mode for at least a month. That way you can get familiar with MTA-STS and fix any issues that may be brought up by the STS reports.

mx lists the MX records that serve email for the domain. In almost all cases, it’s the same records you already have published in your DNS.

To specify servers that match a naming pattern, use a wildcard. The wildcard character replaces one leftmost label only, for example: *.domain.com or *.mail.domain.com

max_age is the amount of time the sending MTA will cache the policy. The RFC suggests a value of 1 or 2 weeks (between 604800 and 1209600 seconds).

Ok, now that we have the policy drafted, we need to publish it. The policy has to be uploaded to a public-facing web server and it must be served over HTTPS with a signed, trusted certificate (eg: Let’s Encrypt).

  • Add a subdomain to your domain in the form of mta-sts.domain.com and point it to the webserver.
  • Create a directory named .well-known in the subdomain.
  • Upload the policy file you created to the .well-known directory with mta-sts.txt as the file name.

Your policy should be available at https://mta-sts.domain.com/.well-known/mta-sts.txt

Now is a good time to talk about the second topic of this post, before we continue with the last step of the deployment process.

2. Enable SMTP TLS-RPT via a TXT record (SMTP TLS Reporting)

How do we know that sending MTAs are failing MTA-STS? Much like DMARC, the answer is emailed reports. These reports include detected MTA-STS policies, traffic statistics, unsuccessful connections, and failure reasons. Enter SMTP TLS Reporting (or TLS-RPT for short). It enables reporting of TLS connectivity problems experienced by the sending MTAs and is defined in RFC8460.

Now, the last step consists of adding two DNS records: one for TLS-RPT and one to signify that you support MTA-STS and they’re both simple TXT records.

Let’s start with TLS-RPT. In order to receive reports, you will need a mailbox where you will receive them, or you can point them to your OnDMARC address (the same as for your DMARC record) and we’ll parse and display them for you in our new TLS reports section.

The first TXT record should be added like this:

_smtp._tls.example.com. 900 IN TXT "v=TLSRPTv1; 
rua=mailto:tlsrpt@example.com"

Host: _smtp._tls

TTL: 900 (or your default value)

Value: v=TLSRPTv1; rua=mailto:tlsrpt@example.com

Note: You can also have reports submitted via POST to an API, using the endpoint as the rua.

Eg: rua=https://reporting.example.com/v1/tlsrpt – for more information, refer to the RFC.

3. Signal MTA-STS support via a TXT record

Lastly, we need to publicize our support for MTA-STS. The TXT record should be added as follows:

_mta-sts.example.com. 900 IN TXT "v=STSv1; id=1575556993"

Host: _mta-sts (note the underscore at the beginning)

TTL: 900 (or your default value)

Value: v=STSv1; id=1575556993

Update the id to a new value every time you change your MTA-STS policy. External servers use the id value to determine when your policy changes. I usually use the epoch timestamp for the id value, it’s unique enough and lets you know when was the last time it was changed.

And that’s it! You’ve enabled both MTA-STS and TLS-RPT, and you’re on your way to supporting secure, un-tampered SMTP transmissions.

Is there an easier way to deploy MTA-STS?

The short answer is yes. With OnDMARC’s MTA-STS feature, you don’t need to worry about complex deployment. Simply add the MTA-STS Smart Records OnDMARC provides to your DNS and we do all the hard work for you such as hosting the MTA-STS policy file, maintaining the SSL certificate, and flagging any policy violation through the TLS report.

Once MTA-STS has been enabled, you can use OnDMARC’s TLS Reports to gain clear insight into the volume of emails received over a given period and how many of them have experienced domain successes and failures. You can easily uncover more details about a specific domain’s success or failure, such as a missing or expired certificate. This granularity tells you exactly what needs fixing in order for you to progress to an MTA-STS enforce mode and fully secure your inbound emails.

Protect your emails from phishing attacks and data tampering today.

Start free trial

PUBLISHED BY

Faisal Misle

26 Apr. 2022

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Email

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more
Email

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more
Email

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more