Good idea, poor adoption: MTA-STS among the Fortune 500
MTA-STS
was built to fix a blunt problem: without it, anyone on the wire can strip
STARTTLS and read mail in transit. The remedy is simple. A DNS record says a
policy exists; a file at
https://mta-sts.<domain>/.well-known/mta-sts.txt tells
senders to deliver only over authenticated TLS. We checked every
Fortune 500 company. The idea holds up. The adoption does not.
Published is rare. Enforced is rarer.
testing mode, collecting reports but never
actually rejecting an unencrypted delivery.
Where adoption stalls, across all 500
Even the adopters hesitate
Among the few who deploy, most stop at testing: collect failure
reports, never reject unencrypted delivery. TLS-RPT, the companion reporting
record, shows up more than twice as often as MTA-STS itself. Plenty of
appetite for telemetry; little appetite to enforce.
12 companies in on the idea
Every Fortune 500 domain with an MTA-STS footprint. 5 enforce, 6 test without enforcing, and any tagged record only advertised a DNS record but never served a policy.
No domains match “”.