Google Announces Support for SMTP MTA and TLS Reporting on Gmail

By Bill Toulas / April 11, 2019

As Google announced on their blog, Gmail is about to become the first major email provider to support the SMTP MTA Strict Transport Security protocol, as well as the SMTP TLS Reporting standard. Google has been working closely with the IETF (Internet Engineering Task Force) organization during these past three years for the development of these standards, and the same was the case for other major email providers like Microsoft and Yahoo. As Gmail is the first and only provider to support the new standards, the advantages that derive from them will only apply for email exchanges between Gmail users. When more email providers support the protocols, inter-communication between different platforms will get equally secure.

The main point of the implementation of these new standards is to prevent the possibility and undermine the effectiveness of “man-in-the-middle” attacks. Malicious actors can set up and use scoundrel email servers which can intercept messages that are exchanged between email servers. The new standards will establish a cryptographic protection layer, so the connection is authenticated with a valid public certificate before it gets encrypted with TLS 1.2 or higher. TLS reporting allows for further insight on what happened with the sent messages, and even request daily reports. As message delivery failures are not only a matter of accidental misconfiguration but can also occur due to an ongoing attack or use of unauthenticated channels, this reporting feature is essential from a security standpoint.

Google has published a detailed step-by-step guide on how to set up an MTA-STS policy on the DNS server you are administering, how to set up a valid configuration, publish the policy changes, and create a special mailbox for the reception of the TLS reports. Once configured, any emails that are sent to the server on the receiving end will compulsorily pass through an authenticated and encrypted channel; otherwise, they will not arrive on the inbox at all. Now, the man-in-the-middle attacks will still be possible, but the actors will be capturing encrypted data, while the admins will be able to tell that something mischievous is going on immediately thanks to the reports.

Care to share your views on the above? Feel free to leave your comments in the dedicated section below, and don’t forget to check out our socials as well, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: