In plain English
MTA-STS is a newer email security standard that complements SPF, DKIM, and DMARC. Where those three focus on verifying who sent an email, MTA-STS ensures that email travelling between mail servers is encrypted — preventing a network attacker from intercepting messages in transit by stripping the encryption.
Full definition
, , and do important work: they help receiving mail servers decide whether to trust a message claiming to be from your domain. But none of them protect the connection itself. Email travelling between mail servers can, without additional controls, be intercepted in transit by a network-level attacker who strips the before the message arrives.
MTA-STS fixes that. It lets a domain publish a policy via HTTPS declaring that any mail server delivering to it must use TLS encryption and must verify the server's certificate. A sending mail server fetches that policy before attempting delivery. If TLS is not available or the certificate does not match, the server does not downgrade and deliver anyway. It fails the connection. The policy is cached for a period set by the domain owner, which prevents an attacker from interfering with the policy fetch itself.
For Australian businesses running or Google Workspace, MTA-STS is straightforward to deploy and sits alongside DMARC as part of a complete email security configuration. It matters most in regulated industries where email carries legal, financial, or health information. A law firm or accounting practice that has DMARC in place but no MTA-STS has protected its sender reputation without protecting the confidentiality of what it sends.
