What is MTA-STS, and how can it make my emails more secure?

MTA-STS (Mail Transfer Agent-Strict Transport Security, for the curious) is a new email security standard developed by Google, Microsoft, and other service providers. 

First published in September 2018, the standard is now available to users of G Suite for email – giving millions of businesses a more secure way to communicate.  

But why do we need a new standard?

Well, historically, email has been sent over the internet unencrypted. This long-standing vulnerability potentially allows malicious people to intercept and read your emails in transit. To mitigate the risk of that happening, your IT department will likely have adopted one of a number of ways to encrypt your messages. 

Unfortunately, many of these methods are clumsy, inefficient, and time-consuming.  

The norm today is ‘opportunistic encryption’. In other words, when you send an email, your mail server will try to use encryption (especially if you’re using well-known service providers like Google and Office 365). First, your mail server establishes an SMTP connection with the server it intends to direct the message. Then, during an initial ‘handshake’ transaction, the two servers agree on a transmission method for the message. If the receiving mail server agrees to support encryption, your server uses encryption to send the message – great. 

If the receiving server doesn’t support encryption, most mail servers will default to sending the message anyway – unencrypted. As a result, we choose to deal with the added complexity of third–party encryption tools, I.e. the portal you can never remember your password to. 

It is not that Gmail and Office 365 don’t use encryption, it’s rather because they have not, until now, been able to guarantee it. 

So what does MTA-STS do to fix this?

Ultimately, what MTA-STS does is ensure emails sent to you are always encrypted, without relying on additional portals or software. Everyone gets to use email the way they’re used to, but their data remains safe in transit. The standard also allows you to more proactively enforce encryption for your incoming mail by publishing a DNS record that tells servers to use TLS 1.2 encryption whenever they send mail to you.  

Of course, the sending server still needs to support MTA-STS, but all of the major players do already. And as it becomes even more widely adopted, we’ll all be more secure. 

How do I get MTA-STS?

In order to take advantage of MTA-STS, the first thing you should do is reach out to your IT department. They’ll be able to set it up in Testing mode, see who sends to you securely and who doesn’t, and then coordinate with those that don’t before you mandate secure email only. 

For more information on how to get MTA-STS up and running in your organization, get in touch with Insource Services at insource@insourceservices.com, or call us on (781) 235-1490.