Increase SMTP security (MTA-STS and TLS)
About MTA-STS and TLS Reporting
Increase Gmail security by turning on MTA Strict Transport Security (MTA-STS) for your domain. MTA-STS improves Gmail security by requiring authentication checks and encryption for email sent to your domain. Use Transport Layer Security (TLS) reporting to get information about external server connections to your domain.
Like all mail providers, Gmail uses Simple Mail Transfer Protocol (SMTP) to send and receive mail messages. SMTP alone does not provide security, and many SMTP servers don’t have added security to prevent certain types of malicious attacks.
For example, SMTP is vulnerable to man-in-the-middle attacks. Man-in-the-middle is an attack where communication between two servers is intercepted and possibly changed without detection. Using MTA-STS to increase security for mail server connections helps prevent these types of attacks.
MTA-STS email security
SMTP connections for email are more secure when the sending server supports MTA-STS and the receiving server has an MTA-STS policy in enforced mode.
Receiving mail: When you turn on MTA-STS for your domain, you request external mail servers to send messages to your domain only when the SMTP connection is both:
- Authenticated with a valid public certificate
- Encrypted with TLS 1.2 or higher
Mail servers that support MTA-STS will send messages to your domain only over connections that have both authentication and encryption.
Sending mail: By default, mail messages from your domain comply with MTA-STS when sent to external servers with an MTA-STS policy in enforced mode.
When you turn on TLS reporting, you request daily reports from external mail servers that connect to your domain. The reports have information about any connection problems the external servers find when sending mail to your domain. Use report data to identify and fix security issues with your mail server.
Other Gmail security features
We recommend you also set up these email security features for your domain:
- Sender Policy Framework (SPF) - SPF specifies domains that can send messages for your organization.
- Domain-based Message Authentication, Reporting & Conformance (DMARC) - DMARC specifies how your domain handles suspicious emails.
- DomainKeys Identified Mail (DKIM) - DKIM verifies message content is authentic and not changed.
Steps to set up MTA-STS and TLS reporting
- Check the MTA-STS configuration for your domain.
- Create an MTA-STS policy.
- Publish the MTA-STS policy.
- Add DNS TXT records to turn on MTS-STS and TLS reporting.
Learn more about MTA-STS and TLS reports
SMTP security is optional, and standards require that SMTP accept plain text connections. SMTP alone supports best-effort mail delivery. There is no guarantee of message delivery or minimum quality of service. Although SMTP supports TLS, many SMTP servers don’t use TLS and are not secure.
Common security problems with SMTP servers include:
- Expired TLS certificates
- Certificates that do not match server domain names
- Certificates not issued by trusted third parties
- No support for secure protocols
Lack of security means SMTP connections are at risk for man-in-the-middle and other types of malicious attacks. Most mail providers try to send messages over SMTP connections that use TLS. However, if a TLS connection can’t be created, servers often send the message anyway.
MTA-STS tells sending servers to not send messages unless these conditions are true:
- The sending server supports MTA-STS.
- The receiving server has a published MTA-STS policy in enforced mode.
- Learn how to configure your TLS setting to require a secure connection for email to (or from) specific domains or email addresses that you list.
- Learn more about SMTP in RFC 3207.
TLS reporting requests that external mail servers send daily reports to the requesting domain. Reports can be emailed or uploaded to a web server. The reports have information about the domain’s MTA-STS and connection status. Report information includes: detected MTA-STS policies, traffic statistics, failed connections, and messages that couldn’t be sent.
The reports help you learn about any issues external servers might have when sending messages to your domain. You can start getting reports before your domain enforces MTA-STS encryption and authentication by setting your policy to testing mode. Fix any connection issues with your domain before changing your policy to enforced mode. Learn more about MTA-STS policy modes.
You might not receive many reports until TLS reporting is more widely used by mail providers.
Learn more about TLS reports in RFC 8460.