The SMTP protocol isn’t secure and wasn’t designed to be. Email sent in the early days of the Internet were the digital equivalent of sending a postcard through the postal system. Eventually, Transpo...
Updated Apr 22, 2025
Version 5.0
Blog Post
KevinShaughnessy
Microsoft
MicrosoftBrian great question. The MTA-STS RFC RFC 8461 - SMTP MTA Strict Transport Security (MTA-STS) (ietf.org) says:
If a valid TXT record is found but no policy can be fetched via HTTPS (for any reason), and there is no valid (non-expired) previously cached policy, senders MUST continue with delivery as though the domain has not implemented MTA-STS.
We honor the RFC on this and if a policy can't be fetched when we're trying to send a message (e.g. due to the policy's web server is down) we'll continue as though the domain has NOT implemented MTA-STS. Thus it won't fail to send just because the receiving domain's policy can't be fetched -- at least not because of MTA-STS. For inbound, it's up to the sending MTAs outside of EXO to follow this RFC "MUST" imperative, which I imagine any MTA that claims support for MTA-STS does.
Kevin Shaughnessy
Sr. Program Manager | Exchange Online Transport