MTA-STS & TLS-RPT in 2025: Why They Matter & How They Stop Man-in-the-Middle Attacks

MTA-STS is a security system that forces other mail servers to use encrypted TLS when sending emails to your domain.

Without MTA-STS, attackers can perform a man-in-the-middle attack by downgrading your TLS connection → forcing mail to send unencrypted.

With MTA-STS enabled, attackers cannot downgrade or intercept the connection.

How MTA-STS Works (Short Version)

To enable MTA-STS you need:

1. A DNS TXT record _mta-sts.yourdomain.com

2. A policy file hosted over HTTPS https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

3. A valid SSL certificate for mta-sts.yourdomain.com

When another mail server tries to send you email:

• It checks DNS for your MTA-STS policy.

• It fetches your HTTPS policy file.

• It obeys your rule: enforce, testing, or none.

If your policy says enforce, the sender MUST use valid TLS or drop the email.

TLS-RPT Explained (Simple)

TLS-RPT (TLS Reporting) sends you daily reports about:

• Failed TLS connections

• Policy fetch issues

• Servers failing to deliver securely

• MITM attempts (downgrade attacks)

This helps you fix security quickly.

DNS example:

_smtp._tls.yourdomain.com TXT "v=TLSRPTv1; rua=mailto:tls@yourdomain.com"

Why MTA-STS Matters in 2025

✔ Stops man-in-the-middle (MITM) attacks

✔ Prevents TLS downgrade attacks

✔ Ensures all inbound email uses encrypted delivery

✔ Helps Gmail, Outlook, Yahoo trust your domain more

✔ Improves deliverability + security ranking

Email without MTA-STS = HTTPS-less website

Email with MTA-STS = HTTPS lock icon

What Is a Policy Fetch Failure? (Simple)

A policy fetch failure means other mail servers could not download your MTA-STS policy.

Common causes:

1. Your HTTPS host is unreachable

https://mta-sts.yourdomain.com/.well-known/mta-sts.txt→ Server down→ Firewall blocks→ Missing DNS A/AAAA record

2. Invalid or expired SSL certificate

MTA-STS requires a valid certificate.Self-signed = reject.

3. Wrong DNS configuration

TXT record missing or incorrect.

4. File missing or wrong content type

Your policy file must be plain text and must follow exact syntax.

5. Redirects are blocked

STS policy file cannot redirect (301/302).

Must load directly.

When a fetch fails, other servers fall back to normal TLS (not enforced), lowering security.

TLS Encryption Guarantees (What It Actually Protects)

With MTA-STS ENFORCED, the email path is protected:

✔ Encrypted

Attackers cannot read the content.

✔ No downgrade

Attackers cannot force plaintext delivery.

✔ Valid certificate required

Stops fake servers from impersonating your domain.

✔ MITM prevention

If someone tries to intercept, the sending server will abort delivery instead of sending insecurely.

This is why Gmail shows “MTA-STS Enforced” green lock for secure domains.

How to Set Up MTA-STS Correctly (Short Checklist)

1. Create the DNS TXT record

_mta-sts.yourdomain.com TXT "v=STSv1; id=20251201"

• id can be any version number—update it when you modify the policy.

2. Add A/AAAA record

mta-sts.yourdomain.com → Your server IP

3. Install an SSL certificate

Use a real cert (Let’s Encrypt is fine).

4. Upload the policy file

Location:/var/www/mta-sts/.well-known/mta-sts.txtURL must be:https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

5. File content example

version: STSv1
mode: enforce
mx: mail.yourdomain.com
max_age: 604800

Modes:

• none = off

• testing = check but don’t enforce

• enforce = fully enforced (recommended)

6. Add TLS-RPT Record

_smtp._tls.yourdomain.com TXT "v=TLSRPTv1; rua=mailto:tls@yourdomain.com"

7. Test using Gmail or MXToolbox

Common Mistakes (Easy to Fix)

❌ Missing mta-sts subdomain

❌ No SSL or expired SSL

❌ Using redirects

❌ Wrong TXT value formatting

❌ Wrong file location (NOT mta-sts.txt/.well-known/)

❌ Policy in HTML instead of plain text

Fix these → policy fetch will succeed.

Quick Summary

MTA-STS enforces secure TLS delivery for your emails, preventing man-in-the-middle attacks.TLS-RPT gives you reports on failures so you can fix them fast.Correct setup requires:

• DNS TXT record

• HTTPS policy file

• Valid SSL

• Proper MX entries

If your policy fetch fails, your domain will not get full protection.