Both are extensions to the Simple Mail Transfer Protocol (SMTP), the protocol through which all emails are sent today.
The purpose of MTA-STS and TLS Reporting is to help email providers establish cryptographically secure connections between each other, with the main goal of twarthing SMTP man-in-the-middle attacks.
SMTP man-in-the-middle attacks are a major problem for today’s email landscape, where rogue email server operators can intercept, read, and modify the contents of people’s emails.
The two new standards will prevent this by allowing legitimate email providers to create a secure channel for exchanging emails.
What’s MTA-STS and TLS Reporting?
For example, SMTP MTA Strict Transport Security (MTA-STS) works by allowing email server admins to set up an MTA-STS policy on their server.
This policy allows a legitimate provider to request that external email servers verify the security of a SMTP connections before sending any emails.
Minimum requirements, such as forcing external email servers to authenticate with a valid public certificate encrypted with TLS 1.2 or higher, can be enforced, depending on preferenes, ensuring that emails sent to a company’s server travel through an obligatory and properly encrypted channel –or they don’t arrive at all.
In addition, the TLS Reporting SMTP extension sets up a reporting mechanism through which a legitimate email server can request daily reports from other email servers about the success or failure of emails that have been sent to the legitimate server’s domain.
Both, when combined, will either prevent or help email server admins identify SMTP man-in-the-middle attacks against their email traffic.
Google, Microsoft, Yahoo worked on protocols for years
While Google was the first email provider to roll out MTA-STS and TLS Reporting today, others are expected to follow, with Microsoft, Comcast, and Yahoo in the driver’s seat, as all three worked with Google enginers to standardize the two SMTP security extensions at the Internet Engineering Task Force (IETF) –the organization that approves internet standards.
For now, Gmail servers are the only ones supporting these two new standards, which will become truly effective when other email providers join in and create a mesh of properly-encrypted connections between all email servers worldwide.