Masters of MTA-STS

Gmail has begun supporting the MTA-STS standard, an encryption and authentication technology designed to defend against forms of man-in-the-middle (MitM) attacks that trouble earlier mail delivery technologies.

Google said it’s the first major email provider to follow the new SMTP MTA Strict Transport Security (MTA-STS) and SMTP TLS Reporting internet standards, adding that it hopes its lead will encourage other providers to follow suit.

MTA-STS offers a more secure alternative to decades-old but still industry standard Simple Mail Transfer Protocol (SMTP) technology as a means to send and receive mail messages.

“SMTP alone only provides best-effort security with opportunistic encryption, and many SMTP servers do not prevent certain types of malicious attacks intercepting email traffic in transit,” Google said in a blog post explaining its switch.

“SMTP is therefore vulnerable to man-in-the-middle attacks. Man-in-the-middle is an attack where communication between two servers is intercepted and possibly changed without detection,” it adds.

MitM attacks have been growing in prevalence – as catalogued by Google, Stanford assistant professor Zakir Durumeric, and others – hence the push towards more secure alternatives.

MTA-STS and SMTP TLS are the fruits of around three years of collaboration between Google and other email providers, along with the Internet Engineering Task Force.

The technology offers a means to ensure “nation states and telcos can’t strip encryption off of email”, according to Mark Risher, a director of product management at Google.

Gmail launched MTA-STS adherence with a beta program that began on Wednesday (April 10). The move means Gmail will “honor MTA-STS and TLS reporting policies configured when sending emails to domains that have defined these policies”.

Email domain administrators should set up DNS records and web server endpoint to configure MTA-STS and TLS reporting policies for incoming emails, as explained on Google’s support pages.

Enforcing the policy means that external mail servers are requested to verify that SMTP connections are authenticated with a valid public certificate and encrypted with TLS 1.2 or higher.