Gmail making email more secure with MTA-STS standard
Wednesday, April 10, 2019
Gmail will start enforcing this standard in beta, which you can read more about on the Google Security blog. For G Suite admins:
- Security health within the security center for G Suite will start including recommendations about MTA-STS policies for your domain.
- G Suite admins can choose to set up MTA-STS policies and reporting for incoming mail in their DNS server. While admins could do this previously, it will become more impactful now that Gmail is enforcing the MTA-STS policies.
Use our Help Center to learn more about how to use the MTA-STS standard.
- Admins: Use our Help Center to define MTA-STS policies for your domain.
- End users: No action required.
G Suite admins can choose to set up a policy for incoming mail with their DNS server. See the Help Center for details and instructions on how to set up an MTA-STS policy for your domain.
Possible email bouncebacks
While we don’t anticipate significant increase in bouncebacks, there are two aspects of the new standard which could result in bouncebacks:
- TLS enforcement with certificate validation will prevent bad actors from intercepting emails in transit just like HTTPS does it for web traffic.If a bad actor tries to intercept the email, as Gmail enforces MTA-STS, it will now bounceback, preventing the intercept.
- As Gmail will honor policies set by servers you are sending mail to, there’s a possibility that they have misconfigured policies or their servers, and that we will not deliver emails as a result. In this case, users will get an email bounceback with details.
New security center MTA-STS recommendations for your domain
If you go to the security health section of the security center for G Suite (Admin Console > Security > Security Health, available to G Suite Enterprise and Enterprise for Education domains only) you’ll see a new “MTA-STA” suggestion. It will tell you whether you have a policy set up, as well as highlighting misconfigurations in policies.
- Rapid Release domains: Full rollout (1–3 days for feature visibility) starting on April 10, 2019
- Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on April 10, 2019
G Suite editions
- All G Suite customers can define MTA-STS policies.
- MTA-STS policy suggestions in the security center are available to G Suite Enterprise and G Suite Enterprise for Education customers only.
On/off by default?
- MTA-STS policies for your domain will be OFF by default and can be enabled at the domain level.
- MTA-STS policy suggestions in the security center will be ON by default.
Stay up to date with G Suite launches