Gmail, The First Email Provider That Supports MTA-STS And TLS Reporting

Security on the web is a must, especially when it comes to sending and receiving confidential materials.

When messaging apps have long secured their users' messages using end-to-end encryption, email providers were still using old Simple Mail Transfer Protocol (SMTP) to protect emails.

Just a little less than two weeks after Gmail's 15th birthday, Google announced that the email provider has become the first to support two new security standards.

Called MTA-STS and TLS Reporting, these are the extensions to SMTP.

The purpose of the two security standards, is to help email providers establish cryptographically secure connections between itself and others. The main goal, is to prevent SMTP man-in-the-middle attack, which is considered the major problem in modern email.

Using MTA-STS and TLS Reporting, Gmail can create a secure channel for users to exchange emails, thus preventing SMTP man-in-the-middle attacks, where rogue email server operators can intercept, read, and modify the contents of people's emails.


Traditionally,SMTP has one big problem where encryption is optional.

MTA-STS, or SMTP Mail Transfer Agent Strict Transport Security, is a standard that aims to improve the security of SMTP by enabling domain names to opt into strict transport layer security mode that requires authentication (valid public certificates) and encryption (TLS, or Transport Layer Security).

Using MTA-STS, it enables mail service providers to declare their ability to receive TLS secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

MTA-STS here can prevent attack vectors, since it's signaling mechanism enables domains to achieve two things: first, is the ability to opt into robust transport layer security and second, to securely communicate what their MX servers should be.

As for TLS Reporting (or TLS-RPT for short), it is a standard that enables reporting of TLS connectivity problems experienced by applications that send email.

With this, Google can request daily reports from external mail servers that connect to users' domain. The reports have information about any connection problems the external servers find when sending mail to users' domain, and here, the company can quickly identify and fix security issues with its mail servers.

When both MTA-STS and TLS Reporting work together, they can prevent or help email server administrators identify SMTP man-in-the-middle attacks against their email traffic.

TLS Reporting
TLS Reporting

When it comes to securing things on the web, the process and the strategy have become even more crucial.

People on the web share a lot of data. And with the internet becoming a lot better by the year, the amount if information uploaded and downloaded from the web will keep on increasing. Many of the information is confidential, and this makes it certainly alluring for hackers.

Even though companies are encrypting more email than ever before, it’s arguable that SMTP security lags behind that of the web. As a result, email providers can’t really expect to see valid certificates and strong encryption.

Email providers can opt to use DANE (DNS-based Authentication of Named Entities) to bind certificates to DNS names using Domain Name System Security Extensions (DNSSEC). They can also use MTA-STS on its own. However, this can be a problem when remote servers can’t connect for whatever reason.

With TLS-RPT, Gmail can fill the gap, and enable diagnostic reporting to support monitoring and troubleshooting of connectivity issues.

While Google has become the first major email provider to roll out MTA-STS and TLS Reporting, others are expected to follow, with Microsoft, Comcast, and Yahoo! being expected to come next.

The three are also working with Google to standardize the two SMTP security extensions at the Internet Engineering Task Force (IETF) - the organization that approves internet standards.