Back to Blog

Create MTA-STS and TLS reporting for better email security

Enable MTA Strict Transport Security (MTA-STS) for your domain to improve Gmail security. By requiring encryption and authentication tests for emails sent to your domain, MTA-STS enhances Gmail security. To learn more about external server connections to your domain, use Transport Layer Security (TLS) reporting.

Create MTA-STS and TLS reporting for better email security
5/21/2025

Gmail sends and receives messages via the Simple Mail Transfer Protocol (SMTP), much like all other mail services. Security is not provided by SMTP alone, and many SMTP servers lack additional security to fend against hostile assaults.


What is MTA and STS

The MTA-STS email security standard was created to prevent email from being downgraded to unencrypted connections or intercepted while it is in transit.


It guarantees

Using TLS (Transport Layer Security), sending email servers establish a connection with the mail servers on your domain.

 There is no downgrade to plaintext of connections through man-in-the-middle (MitM) attacks.

Senders adhere to stringent guidelines for encrypted delivery.


Importance

SMTP, which is typically used to distribute emails, enables opportunistic encryption, which means that if encryption is feasible, it will do so; if not, it will revert to plaintext. Downgrade assaults (like SMTP Strip) are made possible by this.


To bridge this gap, MTA-STS informs senders:

"TLS is expected by my domain."

"My mail servers are located here."

"Don't deliver at all"


How MTA-STS runs

DNS entry (TXT)

To inform mail servers that you support MTA-STS, your domain publishes

  • Version of the policy
  • Mode (testing, enforce, or not)
  • Patterns of MX records
  • Maximum age
  • Sending mail servers for enforcement:
  • Get and store your insurance.
  • Verify the certificate and TLS connection.
  • Deliver only when the policy is followed (in "enforce" mode). Only deliver securely."


Benefits:

Stronger security:

By enforcing TLS, MTA-STS ensures that emails are only sent over secure, encrypted connections, reducing the risk of interception and tampering.


Reduced risk of Man-in-the-Middle (MitM) attacks:

MTA-STS helps prevent attackers from tricking email servers into using unsecured connections.


Compliance:

Many industries have regulations regarding data protection, and MTA-STS can help businesses comply with these standards.


Email security for MTA-STS

When the receiving server has an MTA-STS policy in enforced mode and the sending server supports MTA-STS, SMTP connections for email are more secure.


Mail reception

 When you enable MTA-STS for your domain, you ask outside mail servers to deliver messages to your domain only in the following scenarios:


Verified using a legitimate public certificate 

Mail servers that support MTA-STS will only send messages to your domain via connections that are encrypted and authenticated using TLS 1.2 or higher.


Mailing

When sending Gmail messages to external servers with an MTA-STS policy in enforced mode, your domain complies with MTA-STS.


Featuring the Managed MTA-STS Configuration Page to Set Up

The MTA-STS policies can be configured and enforced with the use of this interface. You'll be ready in a few minutes if you follow the easy instructions on the page.


The following actions must be taken in order to begin configuring the MTA-STS policy:

Select the domain for which you wish to implement the policy and then set it (None, Testing, or Enforce). Begin entering the information below (maximum age, TLS reporting destination, and MX hosts).


The next step is to set up your DNS. It's an easy three-step procedure:

Access your DNS provider by logging in: Go to the DNS settings page after you're on the platform.Configure the CNAME Records: Set up the TLS-RPT records, the MTA-STS file location, and the MTA-STS. Check the Documents: To resolve problems or misconfigurations adhere to the on-screen directions. Typically, DNS updates take up to 24 hours. The TLS reports will then begin to appear on your dashboard. If everything is set up correctly, you will get a success message.


Reports from TLS

You request daily reports from outside mail servers that connect to your domain when you enable TLS reporting. Any connectivity issues that the external servers encounter when sending mail to your domain are detailed in the reports. To find and address security flaws with your mail server, use report data.


How to configure TLS and MTA-STS reporting

  1. Verify your domain's MTA-STS settings.
  2. Create a policy for MTA-STS.
  3. The MTA-STS policy should be published.
  4. To enable MTA-STS and TLS reporting, add DNS TXT records.


Configuration Using the TLS Reports Page

A blocking screen will appear when you visit the page if the TLS reports are still dormant. You can either upload a JSON file to the system or activate the TLS reporting.You can navigate through the above-described one-time DNS Setup stages by selecting "Activate TLS Reporting." After you receive the first report, you'll realize the full power of the TLS Reports page. The message success and failure counts are displayed in an intuitive, clear format on the page's main chart. Use the powerful filtering and date-setting options to display important information after selecting the domain or domains you wish to investigate at the top.


You can also make the chart more appealing by displaying the required data period (day, week, or month). You will have a better experience going over your reports and acting on them thanks to these features.Domain-based data, such as the policy type, number of successes and failures, and report date, are displayed in the table beneath the main graphic. Each entry can be extended to provide information about the reporter, including the date, policy mode, result type, session count, transmitting and receiving IPs, and more. Only data for the domains and groups you can access will be visible to you, depending on your Permission Management access level.


Frequent Asked Questions


1. A Managed MTA-STS and TLS Reporting Service: What is it?

The hassle of configuring HTTPS servers, keeping policy files, and interpreting daily TLS reports is eliminated when you use a managed service to host, configure, monitor, and report MTA-STS policies and TLS-RPT data for your domain.


2. Why is MTA-STS important?

MTA-STS shields the email associated with your domain from: Downgrade attacks on SMTP. MitM (man-in-the-middle) attacks guarantees the usage of encrypted (TLS) connections with legitimate certificates by email servers sending to your domain.


3. What occurs if I set up MTA-STS incorrectly?

A flawed setup may:

  • Delivery of break mail
  • make a valid email bounce
  • Avoid TLS negotiations
  • Usually, a managed provider verifies your configuration and stops incorrect settings from being published.


4. Does this work with DKIM, SPF, and DMARC?

  1. Indeed. Other email security standards are supplemented by MTA-STS and TLS-RPT. When combined, they offer:
  2. Proof of identity (SPF, DKIM, DMARC)
  3. Enforcement of encryption (MTA-STS)
  4. Reporting and visibility (TLS-RPT)

Table of Contents

Blog
Continue reading
blog image

Discovering the New PCI DSS Requirements Effective in 2025

The 2022 version of PCI DSS v4.0 offered significant revisions that provided additional flexibility in attaining security through improved validation methods and updated requirements to match increasing payment methods, technology, and threats. This article explores the key changes, implementation challenges, and the importance of DMARC adoption for email security compliance.

blog image

The M&S Cyber Attack: Why It's Time to Take DMARC Seriously – For You and Your Partners

In a world where businesses are increasingly dependent on digital systems and external vendors, the recent cyber attack on Marks & Spencer couldn't have come at a worse time—or been a clearer warning. Over the Easter bank holiday, M&S—one of Britain's most trusted high street names—was hit by hackers who exploited weaknesses in a third-party supplier's systems. The result? Online shopping was brought to a standstill for over three weeks. Personal details of customers were exposed. And the financial hit? Over £40 million a week in lost revenue, according to reports.

Secure Your Emails Today Take the First Step!
DMARCLYTICSDMARCLYTICS

Tools

Aggregate ReportEmail Spam TestingSPF CheckerDKIM CheckerDMARC Checker

Company

About UsData Center LocationFeaturesKnowledge Base

Support

Privacy PolicyTerm of ServiceContact UsCareer
©2025 All Rights Reserved