MTA-STS policy is missing
What has been found
MTA-STS policy is missing.
MTA-STS is a published policy that instructs other mail servers to deliver email to you using a secure TLS connection. The absence of an MTA-STS policy leaves email delivery vulnerable to downgrade or interception attacks.
Why this is a potential risk
Without an MTA-STS policy, there is no enforced requirement for inbound mail servers to use encrypted connections when delivering messages to the domain. This allows attackers to perform man-in-the-middle or downgrade attacks, intercepting or modifying email in transit.
It also increases the risk of spoofing or email redirection if DNS responses are tampered with. Implementing MTA-STS helps ensure email confidentiality, integrity, and authenticity by requiring TLS and validating certificate trust chains.
Potential solutions/Improvements
-
Implement an MTA-STS policy:
-
Publish an MTA-STS DNS TXT record under _mta-sts.
indicating policy availability. -
Host a policy file (.well-known/mta-sts.txt) over HTTPS defining TLS and enforcement mode.
-
-
Use ‘enforce’ mode: Once verified as working, set the policy mode to enforce to require TLS for all incoming mail.
-
Implement TLS Reporting (TLS-RPT): Configure a _smtp._tls.
DNS record to collect reports on mail delivery issues and verify MTA-STS enforcement. -
Regularly maintain and test: Review the policy for validity, ensure HTTPS certificates remain current, and test with online tools.
How to verify it is resolved:
-
Query DNS for the presence of an MTA-STS record:
nslookup -type=TXT _mta-sts.yourdomain.com -
Confirm the policy file is accessible via HTTPS:
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt -
Validate configuration with tools such as:
- mxtoolbox
- checktls
-
Review TLS-RPT reports for evidence of successful TLS delivery and absence of downgrade attempts.