Introduction
We’ve added a new layer of insight to your Hexiosec ASM scans: MTA-STS validation. This protocol helps secure email delivery by enforcing TLS, reducing the risk of downgrade attacks. It’s an important part of having a strong email security posture, and in this post we’ll explain why it matters.
When you run a scan of a domain, Hexiosec ASM already has a Mail Configuration check that ensures that anti-spoofing measures are configured correctly. We check for:
-
SPF: Lets domain owners specify which mail servers are allowed to send email on their behalf, helping to block spoofed senders.
-
DKIM: Adds a cryptographic signature to outgoing emails so receivers can verify the message wasn’t altered and genuinely came from the claimed domain.
-
DMARC: Builds on SPF and DKIM; tells receiving mail servers how to handle messages that fail authentication and provides reporting to domain owners.
For more detailed information on these, you can read our Email Security Basics - Ensuring Deliverability blog.
We have now added another check to Mail Configuration for the privacy of your emails. This check is for MTA-STS (Mail Transfer Agent - Strict Transport Security).
- MTA-STS: Lets domain owners enforce TLS encryption for incoming email and protect against downgrade attacks.
When someone sends an email to your domain, a mail server will attempt to establish a secure (TLS) connection with the destination mail server, but if that is unsuccessful, it may fall back to sending the message in plain text. MTA-STS helps protect incoming mail by ensuring that your domain only accepts delivery if a secure connection can be established.
To understand more details about this, and importantly, how to configure it for your domain if you haven’t already, you can read our Improving Email Security Even Further with MTA-STS blog.
Why is email privacy important?
Imagine a scenario where an attacker intercepts an email from a supplier containing an invoice and alters the payment details by changing the account number that the invoice is going to be paid into. Without the privacy ensured by MTA-STS, if any server in the delivery chain falls back to plain text, attackers have an opportunity to eavesdrop or modify the message.
According to the FBI, business email compromise (BEC) led to over $2.7 billion in losses in 2022 alone. MTA-STS helps prevent these attacks by enforcing encrypted delivery, making it much harder for attackers to intercept or tamper with emails in transit.
What will change in my scan?
On your scan’s Overview page, on the checks widget, you will see under Mail Configuration, a check for MTA-STS configuration.
As with all our checks, these are grouped into Actions, which group risks together based on the resolution required and the domain. Each risk includes a clear description and, most importantly, a remediation step to guide you in fixing the issue.
If MTA-STS is not configured correctly, the risk is considered medium severity. Why medium? The risk is real, but generally limited to attacker-controlled networks or sophisticated attackers. Most mail servers already support TLS, so many emails may still be encrypted during transit even without MTA-STS. However, MTA-STS ensures strict enforcement and protects against potential downgrade or interception attacks.
Why have we added MTA-STS checks to Hexiosec ASM?
MTA-STS is the most recent major addition to the email security ecosystem. It builds on earlier controls such as SPF, DKIM, and DMARC by addressing a different risk: enforcing encrypted transport for email delivery.
As adoption of MTA-STS continues to increase, we’ve added dedicated checks to Hexiosec ASM to ensure customers have visibility of their full email security posture in one place - from authentication and anti-spoofing through to transport-level protection.
With the retirement of the NCSC’s Mail Check service, organisations need an alternative way to monitor MTA-STS configuration over time. Hexiosec ASM now provides that coverage as part of its wider attack surface and configuration monitoring.
What version of TLS will be enforced?
For MTA-STS to consider a connection secure, the TLS version must be 1.2 or higher. This ensures that only strong encryption is used for email delivery, protecting against downgrade attacks and weak ciphers.
So is my email secure?
Email is over 30 years old and, ubiquitous as it is, was never built with security in mind. Security protocols like SPF, DKIM, DMARC, and MTA-STS have been retrospectively added to improve protection. However, even with all these configured, your email still isn’t end-to-end encrypted. In other words, you’re ultimately relying on every mail server handling your message to stay secure.
This is a challenge Hexiosec is aware of, which is why we offer our own secure data sharing tool Hexiosec Transfer with true end-to-end encryption - recommended whenever truly secure communication is required.
Take Action: Secure Your Email Today
It’s hard to think of an organisation that doesn’t rely on email for its core business functions. Whether it’s providing customers with product updates or handling day-to-day administration, email remains essential. While there are risks associated with email, these can be significantly reduced by ensuring your email configuration is set up correctly.
If you haven’t already, create a Hexiosec ASM account and run a scan to check your MTA-STS configuration. Don’t leave your communications vulnerable - take the next step towards safer email delivery today.
Related Posts
