Authentication protects against forgery. But what about the content of your email while it's traveling from server to server? That's the domain of TLS — Transport Layer Security.
This Week’s Lesson
TLS is the encryption protocol that protects data in transit. When email servers support TLS (called 'STARTTLS' in email parlance), the connection between them is encrypted — meaning an eavesdropper who intercepts the traffic can't read your messages.
Most modern mail servers support TLS opportunistically — meaning they'll upgrade to an encrypted connection if both sides support it. If only one side supports TLS, email falls back to unencrypted transfer.
MTA-STS (Mail Transfer Agent Strict Transport Security) takes this further. It's a DNS + policy file mechanism that tells other mail servers: 'Only accept connections to our mail server over TLS — never fall back to unencrypted.' This prevents downgrade attacks.
TLS-RPT (TLS Reporting) is a companion standard that sends you daily reports about TLS connection failures to your domain — useful for debugging delivery issues with partners who can't establish encrypted connections.
Another related standard is DANE (DNS-based Authentication of Named Entities) — it uses DNSSEC to pin specific TLS certificates to your mail server, further hardening against attackers who might intercept and substitute a fake certificate.
For most organizations, enabling STARTTLS and implementing MTA-STS provides strong protection. Check if MTA-STS is configured for your domain by visiting https://mta-sts.yourcompany.com/.well-known/mta-sts.txt