MTA-STS

SMTP MTA Strict Transport Security (MTA-STS) is a DNS-based mechanism that enforces TLS encryption for inbound email to a domain. A receiving domain publishes an MTA-STS policy at _mta-sts.yourdomain.com plus a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. Sending mail servers fetch the policy, verify the recipient domain's TLS certificates, and refuse to deliver mail in plaintext if the policy is enforced. Mitigates downgrade attacks where an attacker tampers with SMTP traffic to force unencrypted delivery. Microsoft 365 supports MTA-STS for inbound mail to your accepted domains; TLS-RPT (TLS Reporting) provides reporting on TLS failures.