Email security doesn’t stop at authentication. Even when you know who is sending a message, you still need to ensure it’s delivered securely. That’s where MTA-STS and TLS Reporting come in. Together, they help domain owners require encrypted delivery and understand whether that requirement is actually being met.
Valimail brings these capabilities together in a way that simplifies both deployment and ongoing visibility. With built-in MTA-STS hosting and integrated TLS reporting, you can configure your policy, monitor performance, and investigate issues without adding new infrastructure or piecing together external tools.
What is MTA-STS?
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that allows domain owners to require encrypted (TLS) connections for inbound email. By publishing an MTA-STS policy, you gain the ability to tell sending mail servers which mail servers are authorized to receive your email, that TLS must be used when delivering messages, and what to do if a secure connection cannot be established.
This helps protect against downgrade attacks and misconfigured or malicious MX records by ensuring that email is delivered securely and only to approved servers.
What is TLS Reporting?
TLS Reporting (TLS-RPT) works alongside MTA-STS to provide visibility into how email is being delivered.
When enabled, receiving domains get reports from sending systems that include whether TLS connections succeeded or failed, aggregate counts of successful and failed delivery attempts, and information about the types of failures encountered.
These reports help domain owners understand whether their MTA-STS policy is working as expected and identify delivery issues that may require attention.
MTA-STS easy setup
MTA-STS is now available to customers of Valimail Enforce, and setup is simple. We guide you through adding the required DNS records and selecting the appropriate policy.
Similar to how DMARC implementers typically start with a DMARC policy of “p=none” to monitor and collect data before jumping to rejections, here you can start in “testing” mode to begin collecting TLS-related email data before moving your policy to enforcement.
Clear visibility into TLS performance
TLS reporting is now available for all Valimail customers, including Enforce and Monitor. Customers can view success and failure counts for TLS connections, explore data across different time ranges, and even drill down into specific failures for more detail. Each reported failure includes a reason and supporting context, helping identify issues such as problems retrieving an MTA-STS policy or other delivery errors.
This makes it easier to monitor the health of your email infrastructure and determine when it’s appropriate to move from testing to enforcement.
Questions? Want to learn more?
We’re excited to bring you support for MTA-STS and the ability to provide feedback and reporting about TLS-related email delivery encryption successes and failures. If you have any questions or need support during the transition, please don’t hesitate to reach out.
And if you’re not yet a client but want to learn more about Valimail and our support for MTA-STS, reach out to us for a demo today!
