The problem
Without MTA-STS, even if your server supports TLS, the sender can fall back to plaintext. Your email travels unencrypted.
What it does
Tells the world: “If you send me email, you MUST use TLS. If you can’t encrypt, DON’T deliver.”
Implementation
1. DNS TXT
_mta-sts.yourdomain TXT "v=STSv1; id=20260304"2. Policy file
At https://mta-sts.yourdomain/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
mx: aspmx.l.google.com
mx: alt1.aspmx.l.google.com
maxage: 6048003. TLS-RPT
_smtp._tls.yourdomain TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain"🛡️ Start with mode: testing. Once everything works, switch to enforce.
SPF = who can send. DKIM = signature. DMARC = what to do with failures. MTA-STS = encryption in transit.