Increase Gmail security by turning on MTA Strict Transport Security (MTA-STS) for your domain. MTA-STS improves Gmail security by requiring authentication checks and encryption for email sent to your domain. Use Transport Layer Security (TLS) reporting to get information about external server connections to your domain.
Like all mail providers, Gmail uses Simple Mail Transfer Protocol (SMTP) to send and receive messages. SMTP alone does not provide security, and many SMTP servers don’t have added security to prevent malicious attacks.
For example, SMTP is vulnerable to man-in-the-middle attacks. Man-in-the-middle is an attack where communication between two servers is intercepted and possibly changed without detection. Using MTA-STS to secure mail server connections helps prevent these types of attacks.
MTA-STS email security
SMTP connections for email are more secure when the sending server supports MTA-STS and the receiving server has an MTA-STS policy in enforced mode.
Receiving mail: When you turn on MTA-STS for your domain, you request external mail servers to send messages to your domain only when the SMTP connection is both:
- Authenticated with a valid public certificate
- Encrypted with TLS 1.2 or higher
Mail servers that support MTA-STS will send messages to your domain only over connections that have both authentication and encryption.
Sending mail: Gmail messages from your domain comply with MTA-STS when sent to external servers with an MTA-STS policy in enforced mode.
When you turn on TLS reporting, you request daily reports from external mail servers that connect to your domain. The reports have information about any connection problems the external servers find when sending mail to your domain. Use report data to identify and fix security issues with your mail server.
Other Gmail security features
Best practices for email authentication
We recommend you always set up these email authentication methods for your domain:
- SPF lets servers verify that messages appearing to come from a particular domain are sent from servers authorized by the domain owner.
- DKIM adds a digital signature to every message. This lets receiving servers verify that messages aren't forged, and weren't changed during transit.
- DMARC enforces SPF and DKIM authentication, and lets admins get reports about message authentication and delivery.
Steps to set up MTA-STS and TLS reporting
- Check the MTA-STS configuration for your domain.
- Create an MTA-STS policy.
- Publish the MTA-STS policy.
- Add DNS TXT records to turn on MTA-STS and TLS reporting.
Learn more about MTA-STS and TLS reports
SMTP security is optional, and internet standards require that SMTP accept plain text connections. SMTP alone supports best-effort mail delivery. There’s no guarantee of message delivery or minimum quality of service. SMTP supports TLS but many SMTP servers don’t use TLS and are not secure.
Common security problems with SMTP servers include:
- Expired TLS certificates
- Certificates that do not match server domain names
- Certificates not issued by trusted third parties
- No support for secure protocols
Lack of security means SMTP connections are at risk for man-in-the-middle and other types of malicious attacks. Most mail providers try to send messages over SMTP connections that use TLS. However, if a TLS connection can’t be created, servers often send the message anyway.
MTA-STS tells sending servers to not send messages unless these conditions are true:
- The sending server supports MTA-STS.
- The receiving server has a published MTA-STS policy in enforced mode.
- Learn how to set up your TLS setting to require a secure connection for email to (or from) specific domains or email addresses that you list.
- Learn more about SMTP in RFC 3207.
TLS reporting request that external mail servers send you daily reports about the connections with your domain's mail servers. Reports can be emailed or uploaded to a web server. Use the reports to understand issues external servers might have when sending messages to your domain.
Reports have information about the MTA-STS status and connection status for your domain's mail servers, including:
- Any MTA-STS policies that are detected
- Traffic statistics
- Failed connections
- Messages that couldn’t be sent.
Before your domain enforces MTA-STS encryption and authentication, set your policy to testing mode. Check the daily reports to identify and fix any connection issues with your domain. Then, change your policy to enforce mode. Learn more about MTA-STS policy modes.
You might not receive many reports until TLS reporting is more widely used by mail providers.