GDPR Compliance

We use cookies to ensure you get the best experience on our website. By continuing, you accept our use of cookies, privacy policy and terms of service.

MTA-STS & TLS-RPT — Encrypted SMTP Enforcement

Force Encrypted Delivery.
Know When It Fails.

MTA-STS (Mail Transfer Agent Strict Transport Security) forces receiving mail servers to only accept your emails over a valid TLS connection — preventing downgrade attacks that intercept emails in transit. TLS-RPT reports tell you every time a TLS connection attempt fails, so nothing goes unnoticed.

Enable MTA-STS See How It Works
TLS Enforcement TLS-RPT Reports Downgrade Protection Failure Alerts BIMI Pre-req
MTA-STS & TLS-RPT
100%
TLS Encryption Enforced
Zero
Downgrade Attacks Possible
Daily
TLS-RPT Reports Processed
< 30min
Setup Time
99.9%
TLS Connection Success Rate
4.9★
Customer Rating
Get Started
MTA-STS & TLS-RPT Capabilities

Enforce Encrypted SMTP.
Report Every Failure.

Without MTA-STS, a network attacker between your sending server and the recipient's server can force a downgrade to unencrypted SMTP — intercepting or modifying emails in transit. MTA-STS prevents this completely. TLS-RPT tells you when any TLS connection to your domain is attempted or fails.

01

MTA-STS Policy Hosting

MTA-STS works by publishing a policy file at a well-known HTTPS URL on your domain (https://mta-sts.yourdomain.com/.well-known/mta-sts.txt). Migomail hosts this policy file on your behalf — you add a single DNS TXT record pointing to our infrastructure, and the policy file is served, updated, and maintained automatically.

Managed policy file hostingAutomatic HTTPS servingDNS TXT record generationPolicy ID rotation
02

Downgrade Attack Prevention

Without MTA-STS, a malicious actor performing a man-in-the-middle attack on SMTP traffic can send a "STARTTLS not available" signal, forcing the sending server to fall back to unencrypted SMTP. MTA-STS tells sending mail servers that your domain only accepts TLS — any server that cannot establish a valid TLS connection must queue the email, not deliver it unencrypted.

STARTTLS downgrade preventionCertificate validation enforcementInvalid certificate rejectionEnforced or testing mode
03

TLS-RPT Report Processing

TLS Reporting (TLS-RPT) is a companion standard that sends reports to a specified address whenever a TLS connection to your mail servers is attempted or fails. These reports — similar in structure to DMARC RUA reports — show you every TLS failure event, the reason for failure, the sending server, and the volume. Migomail processes these reports and presents them as readable dashboards.

Daily TLS-RPT report ingestionFailure type classificationSending server identificationTrend analysis over time
04

TLS Failure Alerting

When a TLS connection failure is reported — whether due to certificate expiry, misconfiguration, or an attempted downgrade attack — Migomail sends an immediate alert with the failure type, the affected mail server, the sending infrastructure that encountered the failure, and a recommended remediation action.

Certificate expiry alertsMisconfiguration detectionDowngrade attempt alertsRemediation guidance
05

BIMI Pre-Requisite Coverage

Google's BIMI implementation requires MTA-STS at "enforce" mode (mode: enforce rather than mode: testing) alongside DMARC p=reject. Migomail's MTA-STS service is pre-configured for BIMI compatibility — your policy file is automatically set to enforce mode and your TLS-RPT reporting address is configured for full coverage.

enforce mode by defaultBIMI compatibility verifiedCombined with Hosted DMARCLogo display readiness
06

Multi-Domain MTA-STS Management

If you receive email on multiple domains — yourbrand.com, mail.yourbrand.com, support.yourbrand.com — each domain that receives inbound mail should have its own MTA-STS policy. Migomail manages separate policy files and TLS-RPT configurations for every domain under your account, with per-domain dashboards and alerting.

Separate policy per domainUnified TLS-RPT dashboardSubdomain coveragePer-domain TLS failure tracking
How MTA-STS Protects SMTP

What Happens Before
an Email is Delivered to Your Server

Before delivering an email, the sending mail server (MTA) looks up the recipient's MTA-STS policy. If the policy says "enforce", the sending MTA must establish a valid TLS connection — or it cannot deliver the email at all. No exceptions.

✓ With MTA-STS (mode: enforce)
Sending MTA
Gmail / Migomail / Other ESP
DNS + Policy Server
_mta-sts TXT + HTTPS policy file
Your Mail Server
mx.yourbrand.com
1
Look up MTA-STS DNS TXT record for recipient domain
2
Fetch policy file from https://mta-sts.domain.com/.well-known/mta-sts.txt
3
Read policy: mode, max_age, MX hostnames
4
DNS returns _mta-sts TXT record with policy version + ID
5
HTTPS server returns policy file (hosted by Migomail)
6
Sending MTA reads: mode=enforce, MX must match policy
7
Sending MTA opens TCP connection to mx.yourbrand.com
8
Sending MTA issues STARTTLS — must succeed or abort
9
TLS handshake completes with valid certificate — email delivered encrypted
Email delivered over TLS — fully encrypted, certificate validated
Without MTA-STS — Downgrade Attack Possible
Without MTA-STS, a man-in-the-middle attacker can intercept the SMTP connection and respond with "STARTTLS not available" — causing the sending MTA to fall back to unencrypted SMTP delivery. The email is then transmitted in plaintext, readable by the attacker. MTA-STS eliminates this possibility by requiring the sending MTA to abort delivery (and queue for retry) if TLS cannot be established.
What Migomail Generates & Hosts

The Exact Files and Records
That Enable MTA-STS and TLS-RPT

Migomail generates all required files and provides the exact DNS records to add. You never write policy files manually or manage HTTPS infrastructure.

https://mta-sts.yourbrand.com/.well-known/mta-sts.txt
✓ Hosted by Migomail
version
:
STSv1
Required. Must be exactly STSv1.
mode
:
enforce
enforce = reject if TLS fails. testing = report only. none = disable.
mx
:
mx.yourbrand.com
Allowlisted MX hostname. Must match your actual MX records.
mx
:
mail.yourbrand.com
Additional MX hostname (if multiple MX records).
max_age
:
86400
Cache TTL in seconds. 86400 = 24 hours.
DNS TXT Record (add to yourbrand.com)
_mta-sts.yourbrand.com TXT "v=STSv1; id=20241201T000000"
TLS-RPT DNS TXT Record
_smtp._tls.yourbrand.com TXT "v=TLSRPTv1; rua=mailto:tlsrpt@migomail.com"
Policy File (mta-sts.txt)

The policy file is a plain-text file served over HTTPS at the well-known URL. It tells sending MTAs: "only deliver to our domain over TLS, and only to these specific MX hostnames." Migomail hosts this file on our infrastructure using your mta-sts subdomain — you delegate the subdomain to us with a CNAME record.

_mta-sts DNS TXT Record

The DNS TXT record at _mta-sts.yourdomain.com tells sending MTAs that an MTA-STS policy exists for your domain and provides a policy ID. When the ID changes, sending MTAs know to re-fetch the policy file. Migomail rotates the policy ID automatically when the policy is updated.

_smtp._tls DNS TXT Record (TLS-RPT)

The TLS-RPT reporting record tells sending MTAs where to send TLS failure reports. Migomail receives these reports at our dedicated address, processes the JSON data, and presents failures as a readable dashboard with alerts for any TLS issues affecting inbound delivery to your domain.

CNAME for mta-sts Subdomain

Migomail hosts the policy file HTTPS endpoint. You add a CNAME record pointing mta-sts.yourbrand.com to our infrastructure. Migomail handles SSL/TLS certificate management for that subdomain, ensuring the policy file is always accessible over valid HTTPS as required by the MTA-STS spec.

TLS-RPT Failure Intelligence

Three Types of TLS Failure
TLS-RPT Reveals — and How to Fix Them

TLS-RPT reports classify every failed TLS connection attempt by failure type. Each type has a different root cause and a different remediation action.

Certificate Validation Failure
The sending MTA connected successfully but rejected the TLS certificate — because it was expired, self-signed, or issued for a different hostname.
Sample TLS-RPT Failure Record
failure-type
certificate-expired
affected-mx
mx.yourbrand.com
count
1,240
first-seen
2024-12-01
Remediation
Your SSL/TLS certificate on mx.yourbrand.com has expired or does not cover the MX hostname. Renew the certificate and ensure the Common Name or SAN matches the hostname in your MTA-STS policy.
STARTTLS Not Supported
The sending MTA connected to your mail server but the server did not offer STARTTLS in the SMTP EHLO response — forcing a fallback to unencrypted delivery, which MTA-STS prevents.
Sample TLS-RPT Failure Record
failure-type
starttls-not-supported
affected-mx
mail.yourbrand.com
count
342
first-seen
2024-11-28
Remediation
Your secondary mail server (mail.yourbrand.com) is not configured to offer STARTTLS. Enable STARTTLS on the SMTP listener. All MX hostnames listed in your MTA-STS policy must support STARTTLS.
MX Policy Mismatch
The MTA connected to an MX hostname not listed in the MTA-STS policy — often caused by an MX record change that was not reflected in the policy file.
Sample TLS-RPT Failure Record
failure-type
mx-mismatch
expected-mx
mx.yourbrand.com
found-mx
mx2.yourbrand.com
count
88
Remediation
A new MX record (mx2.yourbrand.com) was added to DNS but not added to the MTA-STS policy file. Migomail alerts you to MX mismatches automatically and updates the policy file.
How It Works

From Zero to Enforced TLS
on All Inbound SMTP in Under 30 Minutes

01
Add CNAME Record
Add a CNAME record: mta-sts.yourbrand.com → hosted.migomail.com. This delegates the MTA-STS HTTPS endpoint to Migomail's infrastructure.
02
Add TXT Records
Add two TXT records: _mta-sts.yourbrand.com (policy pointer) and _smtp._tls.yourbrand.com (TLS-RPT reporting address). Migomail generates both values.
03
Policy Goes Live
Migomail serves your policy file over HTTPS immediately. Sending MTAs that support MTA-STS begin fetching and caching your policy within 24 hours.
04
TLS-RPT Reports Flow
Sending MTAs that encounter TLS issues send JSON reports to Migomail's reporting address. Reports are processed and appear in your dashboard within hours.
05
Monitor & Alert
Ongoing: Migomail monitors your TLS-RPT data, alerts you to certificate issues or MX mismatches, and updates the policy file when your MX configuration changes.
Why MTA-STS Matters

What Percentage of Your Inbound
Email is Protected Without MTA-STS

Most modern mail servers support STARTTLS — but "support" is not the same as "enforced". Without MTA-STS, opportunistic TLS can be downgraded by a network attacker. MTA-STS changes opportunistic TLS into strict, enforced TLS.

Inbound SMTP — Without MTA-STS
Downgrade attacks possible on all connections
Gmail (Google)
96%
Outlook / M365
94%
Yahoo Mail
91%
Small ISPs / Custom MTAs
62%
Legacy corporate mail servers
34%
Inbound SMTP — With MTA-STS (enforce)
All participating senders enforce TLS — downgrade impossible
Gmail (Google)
100%
Outlook / M365
100%
Yahoo Mail
100%
Small ISPs / Custom MTAs
98%
Legacy servers
100%
< 30min
Full Setup Time
100%
TLS Enforcement Coverage
3
DNS Records Required
4.9★
Customer Rating
What Security Teams Say

From Infrastructure and Security Teams
Using Migomail MTA-STS

★★★★★

Our ISO 27001 auditor asked for evidence of encrypted email transit. Before Migomail MTA-STS, the best we could show was "we support STARTTLS" — which the auditor noted was opportunistic and not enforced. After implementing MTA-STS with enforce mode and TLS-RPT, we could show a policy that mandates TLS and daily reports confirming it. The auditor was satisfied. Setup took 25 minutes. I honestly expected it to be much harder.

Anand Krishnaswamy
Head of IT Security, Professional Services
★★★★★

The TLS-RPT reports immediately told us something we did not know: our secondary MX host (which we use for failover) had an expired SSL certificate. Our primary MX was fine, so we never noticed. But every time a sending MTA tried the secondary MX — which happens during primary MX unavailability — it was encountering a certificate error. In MTA-STS enforce mode, those connections would have been aborted, causing email delivery failures. We found and fixed the expired certificate before we switched to enforce mode, precisely because TLS-RPT showed us the failure. Without TLS-RPT, we would have discovered this problem when customers started reporting missing emails.

Rekha Sundaram
Infrastructure Lead, E-Commerce Platform
★★★★★

We had tried to implement MTA-STS ourselves following the RFC specification. The policy file format is simple enough, but hosting it over HTTPS on the mta-sts subdomain, managing the SSL certificate for that subdomain, and configuring automatic policy ID rotation was genuinely time-consuming infrastructure work. Migomail's hosted service eliminated all of that. Three DNS records and it was done. The TLS-RPT dashboard is genuinely useful — it showed us on day one that two of our customers' MTAs were generating certificate validation failures when connecting to us, which we were able to trace to a wildcard certificate boundary issue.

Vikram Bose
DevOps Engineer, B2B SaaS

Ready to Enforce TLS on Every Email You Receive?

Three DNS records. 30 minutes. Every inbound SMTP connection to your domain is encrypted and verified. TLS-RPT tells you if anything fails.

Enable MTA-STS Talk to an Expert
Talk to Migomail

"Switching to Migomail cut our email costs by 40% and our inbox placement jumped to 98.7%. The onboarding team set up DKIM, SPF, and DMARC in a single call — and our campaigns have been running flawlessly ever since."

Rahul Menon

Head of Growth, SaaS Platform — India
GDPR & DPDP Compliant
99%+ Inbox Placement
Reply in < 4 hrs

Book a Free Consultation

Tell us about your email programme and we'll show you how Migomail improves inbox placement, reduces costs, and automates your lifecycle flows.

No credit card. No commitment. We respond within 4 business hours.

Sending your message…

Trusted for overall simplicity

Based on 400+ reviews with customer satisfaction on
Trustpilot Trustpilot Trustpilot Trustpilot Trustpilot Trustpilot Trustpilot Trustpilot Trustpilot Trustpilot Trustpilot Trustpilot
FAQ

Frequently Asked Questions

Common questions about MTA-STS and TLS-RPT.

  • What is MTA-STS and why is it different from STARTTLS?

    STARTTLS is opportunistic — a sending mail server will use TLS if it is available, but will fall back to unencrypted SMTP if the connection negotiation fails or is interfered with. This makes STARTTLS vulnerable to downgrade attacks. MTA-STS is a policy standard that tells sending MTAs: "this domain only accepts email over valid TLS — if you cannot establish a TLS connection with a valid certificate, do not deliver the email unencrypted." Sending MTAs that support MTA-STS will queue the email and retry rather than falling back to plaintext delivery.

  • What is a TLS downgrade attack?

    A TLS downgrade attack occurs when an attacker positioned between two mail servers (man-in-the-middle) intercepts the SMTP connection and removes or modifies the STARTTLS extension advertisement — causing the sending server to believe the receiving server does not support TLS and fall back to unencrypted SMTP. The email is then transmitted in plaintext, readable by the attacker. MTA-STS prevents this by requiring the sending MTA to enforce TLS — if TLS fails (for any reason), the email is not delivered rather than falling back to plaintext.

  • What is TLS-RPT and what information does it provide?

    TLS Reporting (TLS-RPT, RFC 8460) is a companion standard to MTA-STS. When a sending MTA encounters a TLS failure while trying to deliver to your domain, it records the failure event. At the end of each 24-hour period, participating MTAs send a JSON report to the address specified in your _smtp._tls DNS TXT record. The report includes: the sending MTA identity, the type of TLS failure (certificate expired, STARTTLS not supported, MX mismatch, etc.), the number of affected messages, and the affected MX hostname.

  • Will MTA-STS cause any legitimate emails to fail?

    It can, if your mail server configuration has issues that MTA-STS makes visible. The most common problems are: an expired SSL/TLS certificate on an MX server, an MX hostname that is not covered by the certificate, or an MX record that is not listed in the MTA-STS policy file. This is exactly why Migomail starts with mode=testing — in testing mode, TLS failures are reported but not enforced, so you can identify and fix all certificate and configuration issues before switching to enforce mode. We recommend running in testing mode for at least 7 days and reviewing TLS-RPT reports before switching to enforce.

  • Does MTA-STS protect outbound emails I send, or only inbound emails I receive?

    MTA-STS protects inbound email — it tells other mail servers how to deliver email to your domain. For outbound email protection, DKIM, SPF, and DMARC are the relevant standards. However, many large email providers (Gmail, Outlook, Yahoo) publish their own MTA-STS policies, which means Migomail's sending infrastructure enforces TLS when delivering email to those providers — ensuring your outbound emails to major providers are also delivered encrypted.