What Is MTA-STS – Combined With TLS-RPT Protocol Ensures Encryption And Prevent Interception Of Emails

How MTA-STS Becomes Essential For Securing Emails

As one sends an email, the MTA (Mail Transfer Agent) checks from the receiving server whether it supports the STARTTLS command. Generally, they do. Upon receiving the confirmation, the MTA sends the email through an encrypted connection.

Malicious actors employ various techniques for disrupting this process. They either re-route the email to servers under their control or make the STARTTLS query fail. It prompts the MTA to use an unencrypted connection for transmitting the email. Either way, the malicious actor has access to the emails.

MTA-STS (Mail Transfer Agent Strict Transport Security) can prevent either of these events from happening, thereby securing the email.

Where Does MTA-STS Come Into The Picture?

MTA-STS is the latest email security standard that guarantees secure email delivery to a domain. It enables one to enforce senders only to deliver email to a domain using secure (TLS-encrypted) connections.

MTA-STS provides instruction to the SMTP servers for encrypting the communication between the two servers. It also ensures that the domain name on the certificate should tally with the domain in the policy. It uses DNS and HTTPS to publish a policy to tell the sending party what to do if it cannot negotiate an encrypted channel.

MTA-STS mitigates MITM (Man-In-The-Middle) and SMTP Downgrade attacks that allow malicious actors to read or manipulate an email while in transit.

Does That Make MTA-STS Fully Secure?

MTA-STS ensures that the domain exchanges encrypted emails and verifies the receiving server. However, it does not protect the email from someone having access to the receiving server. Emails are primarily stored on servers in plain-text only. Therefore, anyone having access to the data files can still read them. Hence, insider threats could still prevail.

How Do You Configure MTA-STS?

Gmail is amongst the first major email providers to support MTA-STS. The following are the steps, in brief, to configure MTA-STS in Gmail.

1. Check the MTA-STS configuration for the domain.
2. Create an MTA-STS policy.
3. Publish the MTA-STS policy.
4. Add DNS TXT records to turn on MTA-STS and TLS-RPT.

Understanding TLS-RPT In Brief

TLS-RPT stands for TLS Reporting. The above discussion showed that MTA-STS guarantees every email delivered to a domain gets TLS encrypted. If there is no TLS encryption, the email does not get delivered. TLS-RPT is the standard for reporting such email delivery issues.

While TLS encryption ensures that every email gets delivered securely, malicious actors could attempt attacks like SMTP Downgrade. Such attacks enable them to tamper with the email’s contents because the emails get delivered without encryption. That’s where MTA-STS can complement TLS in securing all email communication by preventing the dispatch of such unencrypted emails.

TLS-RPT enables the domain owner to get reports of each of such unencrypted emails that are not sent. Thus, one can identify the source of the problem and act accordingly to fix delivery issues.

TLS-RPT Works Hand-in-Hand with MTA-STS

TLS-RPT supports the MTA-STS protocol, which completes the encryption of emails before delivery. The MTA negotiates with the receiving server to confirm if it supports STARTTLS. It then encrypts the email with TLS and delivers it to the receiving MTA.

Malicious actors might attempt an SMTP Downgrade attack that involves blocking the negotiation between the two MTAs. Thus, the sending MTA is tricked into thinking that the receiving MTA does not support STARTTLS. Therefore, it sends the email without encryption. However, MTA-STS ensures that such emails are not sent at all.

TLS-RPT enables one to know of instances where the email has not been delivered to the server. The receiving server gets a report in the JSON format containing all the details of such failed emails. However, the information does not include the contents of the email.

Why Is TLS-RPT Necessary?

TLS-RPT, in combination with MTA-STS, is essential because of the following points.

1. MTA-STS ensures mandatory TLS encryption, failing which it does not permit the sending of such emails. Thus, MTA-STS protects the network from SMTP Downgrade attacks.
2. TLS-RPT ensures the reporting of such failed email deliveries. The user receives notifications in this regard.
3. MTA-STS and TLS-RPT ensure total visibility of everything going on in a domain.
4. TLS-RPT eliminates delivery issues and helps identify the source of problems, thereby allowing the user to fix them promptly.

How Does Hosted MTA-STS And TLS-RPT Services Make Things Easier?

Hosted MTA-STS and TLS-RPT services improve email security to prevent unencrypted emails from reaching a domain. Thus, it takes email tampering out of the equation.

• Hosted TLS-RPT converts the complicated JSON reports into one of simple language, whereby anyone can understand it.
• They also help pinpoint the issues faced by domains to resolve such matters promptly without wasting time.

Phishing and spoofing are not the only attacks looming over your employees today; email tampering is a more severe threat through which malicious actors could cause havoc for your organization. Email tampering happens because cyber adversaries can access unencrypted emails. MTA-STS and TLS-RPT enhance the domain’s security by ensuring compulsory encryption and preventing sending unencrypted emails. Further, it provides a report of all such instances to enable one to take appropriate action, thereby improving one’s security posture. These protocols are a must-have for your domain in today’s times.