Gmail making email more secure with MTA-STS standard

What’s changing

SMTP MTA Strict Transport Security (MTA-STS) is a new internet standard that improves email security by requiring authentication checks and good encryption for email in transit.

Gmail will start enforcing this standard in beta, which you can read more about on the Google Security blog. For G Suite admins:

  1. Security health within the security center for G Suite will start including recommendations about MTA-STS policies for your domain.
  2. G Suite admins can choose to set up MTA-STS policies and reporting for incoming mail in their DNS server. While admins could do this previously, it will become more impactful now that Gmail is enforcing the MTA-STS policies.

Use our Help Center to learn more about how to use the MTA-STS standard.

Who’s impacted

Admins only

Why you’d use it

MTA-STS is a new internet standard that will increase email security by acting as a deterrent against pervasive monitoring of email traffic and protecting against man-in-the-middle attacks. You can make your email communications more secure by setting MTA-STS policies and ask the organizations with which you communicate to also set MTA-STS policies for their mail servers.

How to get started

Additional details

Option to set up a MTA-STS policy
G Suite admins can choose to set up a policy for incoming mail with their DNS server. See the Help Center for details and instructions on how to set up an MTA-STS policy for your domain.

Possible email bouncebacks
While Google don’t anticipate significant increase in bouncebacks, there are two aspects of the new standard which could result in bouncebacks:

  • TLS enforcement with certificate validation will prevent bad actors from intercepting emails in transit just like HTTPS does it for web traffic.If a bad actor tries to intercept the email, as Gmail enforces MTA-STS, it will now bounceback, preventing the intercept.
  • As Gmail will honor policies set by servers you are sending mail to, there’s a possibility that they have misconfigured policies or their servers, and that Google will not deliver emails as a result. In this case, users will get an email bounceback with details.

New security center MTA-STS recommendations for your domain
If you go to the security health section of the security center for G Suite (Admin Console > Security > Security Health, available to G Suite Enterprise and Enterprise for Education domains only) you’ll see a new “MTA-STA” suggestion. It will tell you whether you have a policy set up, as well as highlighting misconfigurations in policies.

Helpful links

Availability

Rollout details

G Suite editions

  • All G Suite customers can define MTA-STS policies.
  • MTA-STS policy suggestions in the security center are available to G Suite Enterprise and G Suite Enterprise for Education customers only.

On/off by default?

  • MTA-STS policies for your domain will be OFF by default and can be enabled at the domain level.
  • MTA-STS policy suggestions in the security center will be ON by default.