How to set up the SMTP Mail Transfer Agent - Strict Transport Security (MTA-STS) and SMTP Transport Layer Security - Reporting (TLS-RPT) in your organisation.
The Mail Transfer Agent - Strict Transport Security (MTA-STS) and Transport Layer Security - Reporting (TLS-RPT) email standards can prevent certain person-in-the-middle (PitM) attacks on inbound email and help you monitor for any attempted attacks. Government organisations have successfully deployed these security standards, but organisations should still conduct their own testing to make sure the solutions are compatible with their infrastructure.
This guidance covers how to set up TLS Reporting, and how to set up MTA-STS using a policy file.
The Government Security Centre for Cyber (Cyber GSeC) is actively supporting all Central Government organisations to safely deploy MTA-STS and TLS-RPT. In 2022, 93% of all MTA-STS Central Government deployments have been guided by us. Cyber GSeC time to you is free, please get in touch: firstname.lastname@example.org
You need to take the following steps before you can set up the MTA-STS standard.
All government departments, agencies, and arms-length bodies should register for the National Cyber Security Centre (NCSC) Mail Check service, which includes checks and guidance for those setting up MTA-STS and TLS-RPT.
Settings to check:
Tools that might be useful during the set up include:
It’s important to remember the MTA-STS policy you’re setting up only applies to incoming emails. You do not need to apply this to domains and/or subdomains that are used for outbound-only email on campaign systems like MailChimp, as outbound MTA-STS requires vendor support.
In scope domains or subdomains should include those with Mail Exchange (MX) records that receive email.
Note: Each subdomain requires a separate configuration because unlike DMARC, they do not inherit the policy of their parent domain.
If you do find lots of domains and subdomains you need to protect, set up on the domain or subdomain that receives the most email first.
You should use a Transport Layer Security (TLS) checking tool such as CheckTLS to make sure you have the right TLS configurations in place on your email server. You must also make sure you have TLSv1.2 in place, and that your certificates are valid.
If one of your servers does not support TLSv1.2, do not include this server in your MTA-STS policy. For example, you might set up a spam trap using a server that does not support TLS.
You must have valid and up-to-date certificates to set up MTA-STS. Make sure you have a process in place so your email certificates do not expire. If your certificates expire, email services that support MTA-STS will stop sending you email.
If you’re using a cloud email service, the supplier will automatically check for valid certificates. If you’re not using a cloud email service, you will need to set up notifications telling you when certificates are close to expiry. If you find expired certificates, you must renew them immediately.
If you are managing your own certificates, we recommend staggering their registration dates so not all of your email servers expire on the same day.
To check if you can set up MTA-STS on multiple domains you should:
4.1. Check to see if all your domains and/or subdomains use the same MX records. If they do, they can all use the same MTA-STS policy file.
4.2. Host 2 MTA-STS policy files - one for ‘testing’ mode and one for ‘enforce’ mode. This enables the onboarding of your domains and subdomains one at a time by just changing their DNS settings to point to the relevant policy file. Doing this reduces effort as you do not have to edit and manage multiple policy files.
4.3. Start with the domain or subdomain that receives the most email. You should always set MTA-STS up to work in ‘testing’ mode first and monitor the TLS-RPT reports for at least 2 weeks before moving to ‘enforce’ mode.
4.4. Create a plan for the other domains and start adding them once the initial domain or subdomain is working and TLS-RPT data is showing no failures.
Visit the following page for detailed guidance on how to configure MTA-STS and TLS-RPT using various hosting providers and mechanisms.
The Government Security Centre for Cyber (Cyber GSeC) would like to acknowledge the collaboration and hard work from the following individuals who helped to develop and test some of the hosting solutions in this document.