MTA-STS Survey 2024: Adoption Rates and Common Pitfalls
MTA-STS, Google's alternative to DANE, which relies on HTTPS instead of DNSSEC to thwart Man-in-the-Middle downgrade attacks on the opportunistic encryption of SMTP traffic, was introduced over five years ago. We've conducted a comprehensive survey among the top 1 million domains to assess the adoption rate of MTA-STS and identify common issues or incorrect implementations.
If you're unfamiliar with MTA-STS and DANE and their intended purposes, I recommend reading my blog post for a detailed explanation: MTA-STS Explained.
Results
As of January 2024, a relatively small number of domains, 2924 or 0.3%, have incorporated the MTA-STS TXT record into their DNS settings. This represents a tenfold increase from November 2021. However, it's noteworthy that a considerable 19.5% of these implementations are rendered ineffective due to various errors. The most frequently encountered issues are as follows:
- Absence of
A
orAAAA
record for themta-sts
subdomain (29.4%). - Invalid or missing HTTPS certificate (29.1%).
- Failure to establish a secure connection with the MX host (9.4%).
- Mismatch between the MX certificate name and the hostname (7.5%).
- Expired HTTPS certificate (5.2%).
- Missing MX record in MTA-STS policy (4.3%).
Other less frequent errors also contribute to the ineffectiveness of these implementations. These include incorrect max_age
values, incorrect media types
, inconsistencies in policy across IPv4
and IPv6
, multiple MTA-STS TXT records for a single domain, and missing, invalid, or duplicate policy elements.
We have published the entire list of domains with a misconfigured MTA-STS policy.
MTA-STS ready?
To ascertain if a domain has an MTA-STS policy or is prepared to implement one, utilize our free online tool. This resource is not just limited to verifying the presence of an MTA-STS policy; it also evaluates the existing email configuration to confirm that all MX servers are TLS-enabled and have valid certificates. If a domain successfully passes these checks, it signifies readiness to adopt MTA-STS to protect against Man-in-the-Middle (MitM) downgrade attacks.
Policy
The MTA-STS policy setting governs the enforcement of email transport security. It offers three options: enforce
, testing
, and none
. The enforce
option, chosen by 54% of valid policies, mandates using TLS for email transmission. 45% are set to testing
, a mode that allows for monitoring the policy's impact without enforcing it. The remaining 1% opt for none
, which indicates no specific preference for email transport security, permitting regular SMTP operations.
In summary, only 1278 domains (0,13%) effectively combat Man-in-the-Middle downgrade attacks on their inbound email by correctly implementing an enforced MTA-STS policy.
Hosted MTA-STS services
Approximately 20% of all MTA-STS policies are managed by third-party services. Here's a top 5 list of the largest Hosted MTA-STS providers.
- PowerDMARC (39%)
- URIports (15%)
- Mailhardener (12%)
- EasyDMARC (10%)
- OnDMARC (7%)
Hosted MTA-STS by URIports
In response to the challenges associated with MTA-STS implementation, URIports offers Hosted MTA-STS, streamlining the process in minutes. This user-friendly solution automates policy generation, ensures accurate DNS configuration, and handles HTTPS certificates, thus eliminating common implementation errors. Hosted MTA-STS is included at no extra charge in Pebble Plus, Stone, Mountain, and Himalaya subscriptions.
Conclusion
Despite being a step towards enhancing email transport security, the adoption of MTA-STS remains notably low. Furthermore, the high prevalence of flawed implementations, accounting for over a fifth of all MTA-STS deployments, highlights a critical gap in understanding or resources devoted to proper configuration. The issues indicate a broader need for better awareness and technical guidance in the industry. As email continues to be a vital communication tool in our digital age, the importance of secure email transport cannot be overstated. It is imperative for domain owners and administrators to not only adopt security protocols like MTA-STS but also to ensure their correct implementation.