https://petemahon.net/tags/tls/Recent content in TLS on PeteMahon.netHugoen<a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a>Fri, 15 May 2026 11:00:00 +0400https://petemahon.net/posts/2026/05/youve-done-dmarc.-you-havent-done-email-security.-an-mta-sts-walkthrough./Fri, 15 May 2026 11:00:00 +0400https://petemahon.net/posts/2026/05/youve-done-dmarc.-you-havent-done-email-security.-an-mta-sts-walkthrough./<h2 id="the-gap">The gap</h2> <p>Most domains have SPF, DKIM and DMARC sorted. If yours does, that&rsquo;s good work. It also has nothing to do with whether the email arriving at your domain is actually encrypted in transit.</p> <p>SPF, DKIM and DMARC are <em>outbound</em> authentication. They prove to receiving servers that mail claiming to be from your domain is legitimate. They protect your sending reputation.</p> <p>MTA-STS is <em>inbound</em> transport security. It enforces that mail sent <em>to</em> your domain is encrypted, refuses delivery if it can&rsquo;t be, and pins which MX hosts are allowed to receive it. Different problem, different protocol, and as of the date of posting this, almost completely missing.</p>