• Intro
• Next 1 Chk MTA-STS Config
• MTA-SIS Security
• TLS Reporting
• Other Gmail Features
• Steps To Set Up MTA STS TLS Reporting
• Learn About MTA STS TLS Reports
• How Does MTA STS Improve Sec
• Why Should I Use TLS Reports
• Next 1 Chk MTA STS Config

Increase email security with MTA-STS and TLS reporting

About MTA-STS and TLS reporting


Next: 1. Check your MTA-STS configuration
Increase Gmail security by turning on MTA Strict Transport Security (MTA
-STS) for your domain. MTA-STS improves Gmail security by requiring
authentication checks and encryption for email sent to your domain. Use
Transport Layer Security (TLS) reporting to get information about external
server connections to your domain.

Like all mail providers, Gmail uses Simple Mail Transfer Protocol (SMTP) to
send and receive messages. SMTP alone does not provide security, and many
SMTP servers don’t have added security to prevent malicious attacks.

For example, SMTP is vulnerable to man-in-the-middle attacks. Man-in-the
-middle is an attack where communication between two servers is intercepted
and possibly changed without detection. Using MTA-STS to secure mail server
connections helps prevent these types of attacks.

Learn more about MTA-STS (RFC 8461) and TLS Reporting (RFC 8460).



MTA-STS email security
SMTP connections for email are more secure when the sending server supports
MTA-STS and the receiving server has an MTA-STS policy in enforced mode.

Receiving mail:
When you turn on MTA-STS for your domain, you request external mail servers
to send messages to your domain only when the SMTP connection is both:
Authenticated with a valid public certificate
Encrypted with TLS 1.2 or higher
Mail servers that support MTA-STS will send messages to your domain only
over connections that have both authentication and encryption.

Sending mail:
Gmail messages from your domain comply with MTA-STS when sent to external
servers with an MTA-STS policy in enforced mode.



TLS reporting
When you turn on TLS reporting, you request daily reports from external mail
servers that connect to your domain. The reports have information about any
connection problems the external servers find when sending mail to your
domain. Use report data to identify and fix security issues with your mail
server.



Other Gmail security features

Best practices for email authentication
We recommend you always set up these email authentication methods for your
domain:

SPF lets servers verify that messages appearing to come from a particular
domain are sent from servers authorized by the domain owner.
DKIM adds a digital signature to every message. This lets receiving servers
verify that messages aren't forged, and weren't changed during transit.
DMARC enforces SPF and DKIM authentication, and lets admins get reports
about message authentication and delivery.


For detailed steps, go to Help prevent spoofing, phishing, and spam.



Steps to set up MTA-STS and TLS reporting
Check the MTA-STS configuration for your domain.
Create an MTA-STS policy.
Publish the MTA-STS policy.
Add DNS TXT records to turn on MTA-STS and TLS reporting. 

Get started now



Learn more about MTA-STS and TLS reports



How does MTA-STS improve email security?



Why should I use TLS reports?



Next: 1. Check your MTA-STS configuration