How Can MTA-STS and SMTP TLS Reporting Increase Your Email Security

The Simple Mail Transfer Protocol or SMTP is one of the cornerstone protocols for sending and receiving emails across the internet. When it was established in 1982, the developers did not specify any security measure for protecting the sent emails. This was somewhat fixed in 1999 with STARTTLS protocol which allowed encryption between two interacting servers via TLS protocol. But this is not enough since SMTP maintains that all encryption is optional.

How Was the SMTP’s Encryption Problem Solved?

In more recent years, the Mail Transfer Agent-Strict Transport Security (MTA-STS) has been introduced to enforce TLS deliberately. This is enforced on the SMTP standard and it also allows specifying which SMTP servers can reject servers that do not have a reliable TLS certification.

Further, the SMTP TLS Reporting (TLS-RPT), first documented in 2018, now allows any issues relating to email delivery including misconfigurations without TLS to get compiled and presented in a report. This helps server admins keep track of all email activity including TLS encryption and servers that do not offer the same.

Why is Email Transit Encryption Necessary?

While SMTP encryption via TLS and MTA-STS is for ensuring emails are sent safely. However, they do act as a strong deterrent to various types of Man-in-the-Middle (MiTM) attacks. These include SMTP Downgrade and DNS spoofing attacks among others and their growing popularity poses a threat to all email agents.

What is a MITM Attack?

Man-in-the-Middle attacks are basically interceptions of email delivery transmissions using the SMTP exploit. The STARTTLS encryption command is not a direct part of SMTP. Rather it was implemented after SMTP was established and this means there is a processing layer between the two. This is a perfect place for a hacker to launch a Man-in-the-Middle attack by using an SMTP downgrade vector. This will reduce the STARTTLS command’s efficacy and allow the MiTM attack to download the email in plain text after they intercept and decrypt it.

Alternatively, a MiTM attack can also happen via DNS spoofing. This involves changing the MX records in the DNS query response and placing an accessible mail server instead. The hacker can then get access to the email, change it and return it to its intended destination. The receiver will not even know the change was made.

How Does MTA-STS and TLS Encryption Protect Against MiTM Attacks?

The MTA-STS measure offers a policy file that is used to compare the DNS-based MX addresses. Posting this over an HTTPS secured connection greatly reduces the chances of a successful DNS spoofing attack. At the same time, this procedure also mitigates a number of other problems like general IT security enhancement, reducing pervasive monitoring attacks, encrypting messages while in transit etc. Further, the MTA-STS will prevent a non-TLS server from receiving any email text at all. Even simple cleartext will not be sent through and the message will simply bounce back. Most emailing services like Microsoft, Google and others support MTA-STS which makes it a key element of all kinds of email safety protocols.

How Do SMTP TLS Help Domain Admins?

SMTP TLS reports provide an in-depth analysis of your email servers along with critical diagnostics data. They are usually in a JSON file format and will tell you of any discrepancies in your email delivery process. Depending on the actual report and its details, you may have DNS spoofing issues and you can identify them easily through the file and then fix them. You can start getting the TLS-RPT reports via Mail Transfer Agents soon as you turn it on. This helps you maintain domain policy integrity and also prevent spoofing.