What is RFC 8461 (MTA-STS)?

RFC 8461 defines MTA-STS (SMTP MTA Strict Transport Security), enabling domains to declare that email should only be transmitted over encrypted connections. This prevents downgrade attacks where attackers force unencrypted transmission.

MTA-STS works through policy files hosted at well known URLs, allowing sending servers to discover and cache recipient domain security requirements. Domains can specify whether TLS is required and list valid certificate hosts.

Combined with DANE (DNS-based Authentication of Named Entities), MTA-STS strengthens email encryption by ensuring connections cannot be silently downgraded. This protects against surveillance and man in the middle attacks during message transmission.