Tutanota launches MTA-STS support for custom domains with Let's Encrypt.

Launching MTA-STS for custom domains underlines Tutanota's focus on privacy, security and ease-of-use.

We are excited to let you know that with our latest release we have implemented MTA-STS support for custom domains by joining forces with Let's Encrypt. While today almost all email providers support this important security extension for their main domain, it is still very hard to get for people using their own domain to send and receive mails. This must change as MTA-STS brings much greater security to all email users.


MTA-STS for custom domains

With this update custom domain owners only have to update two DNS entries with their domain provider. Then Tutanota and Let’s Encrypt will manage and update the TLS certificates automatically, including MTA-STS. This easy process for activating this important security feature is unmatched by any other provider.

To date only Google Mail also offers MTA-STS support for its custom domain users, but the process to activate support is much more complicated as Google does not manage the certificates for its users. Yet, without this automatic updating, adding MTA-STS is much too complex for most domain owners. By automating this process, Tutanota enables all its custom domain users to easily switch on MTA-STS.

Mission to encrypt the web

Our mission and the mission of Let’s Encrypt is to make the internet more secure step by step. Let’s Encrypt has made TLS handling so much easier for us and our custom domain users that we considered it very important to invest time in adding MTA-STS support for custom domains as well. At Tutanota security and privacy always comes first.

Why we need MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) is a new standard that improves the security of SMTP by enabling domain names to opt into strict transport layer security mode that requires authentication (valid public certificates) and encryption (TLS), thus, preventing targeted downgrade attacks and DNS spoofing attacks.

In easier words, MTA-STS is to email what strict HTTPS is to a website: It enforces TLS encryption whenever TLS encryption is possible.

In Tutanota this is particularly important for emails to other mail servers. All emails between Tutanota users are end-to-end encrypted and, thus, always fully secured. Emails to other mail servers must be protected with transport layer encryption (TLS). With MTA-STS enabled only emails to mail servers that do not support STARTTLS (which today are only very few) will be sent using an unencrypted connection.

Man-In-The-Middle (MITM) attacks prevented by MTA-STS

MTA-STS stops several attack vectors for emails sent via SMTP making sure that the emails are only sent via an encrypted TLS connection between corresponding mail servers.

DNS spoofing attack

An attacker could inject a malicious DNS response tricking the sending mail server to deliver the email to another mail server controlled by the attacker who can then send the mail to the recipient’s mail server without them noticing that someone has interfered.

Downgrade attack

Without MTA-STS, the STARTTLS negotiation could be disrupted to trick the sending mail server so that is sends the email without TLS encryption. With MTA-STS the mail servers enforce TLS encryption.

Both attacks enable the attacker to read and manipulate the email while in transmission. Both attacks are no longer possible when MTA-STS is activated.

Focus on security

Launching MTA-STS for custom domains underlines Tutanota’s focus on privacy, security and ease-of-use. Together we will encrypt the entire web!