What is MTA-STS and TLS-RPT?

MTA-STS, or Mail Transfer Agent Strict Transport Security, lets your domain insist that other servers deliver mail to you over an encrypted and authenticated TLS connection. Without it, encryption between mail servers is opportunistic: if the secure handshake fails or is tampered with, servers quietly fall back to sending mail in the clear. That gap lets an attacker on the network strip encryption and read or alter messages.

MTA-STS removes the silent fallback. A domain that publishes an enforcing policy is telling every sender that mail must be delivered securely or not at all.

MTA-STS has two parts that work together:

• A policy file served over HTTPS at https://mta-sts.yourdomain/.well-known/mta-sts.txt. It lists the mail servers that should receive your mail and the enforcement mode (enforce, testing, or none).
• A TXT record at _mta-sts.yourdomain that signals the policy exists and carries a version identifier so senders know when it has changed.

The TXT record looks like this:

A sending server reads the TXT record, fetches the HTTPS policy, caches it, and then enforces valid TLS on delivery. Because the policy is fetched over HTTPS with a trusted certificate, an attacker cannot forge or downgrade it.

MTA-STS can cause mail to be deferred when a secure connection cannot be made, but on its own it gives you no visibility into when that happens. TLS-RPT (SMTP TLS Reporting) fills that gap. It is a separate TXT record at _smtp._tls.yourdomain that asks sending servers to email you summary reports of their TLS connection results:

Those reports tell you whether senders are successfully negotiating TLS or hitting failures, which is essential for spotting certificate problems or misconfigured mail servers before they cause delivery loss.

1. Host the policy file. Serve mta-sts.txt over HTTPS at the mta-sts subdomain, listing your mail servers and starting in testing mode.
2. Publish the MTA-STS TXT record. Add the _mta-sts TXT record with a version and a unique id.
3. Add TLS-RPT. Publish the _smtp._tls TXT record pointing reports to a mailbox you monitor.
4. Move to enforce. Once reports confirm senders are negotiating TLS cleanly, switch the policy mode from testing to enforce, and bump the id.

MTA-STS and TLS-RPT protect the confidentiality and integrity of mail while it travels between servers, defending against active network attackers who would otherwise downgrade your connections. They complement, rather than replace, the sender-authentication work done by SPF, DKIM, and DMARC: authentication proves who sent a message, while MTA-STS protects it in transit. A well-secured mail domain wants both.