{"id":4596,"date":"2025-12-28T14:27:18","date_gmt":"2025-12-28T14:27:18","guid":{"rendered":"https:\/\/emailwarmup.com\/blog\/?p=4596"},"modified":"2026-03-05T09:49:49","modified_gmt":"2026-03-05T09:49:49","slug":"mta-sts","status":"publish","type":"post","link":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/","title":{"rendered":"MTA-STS Explained \u2014 TLS Encryption For Inbound Email"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"3533\" height=\"2248\" src=\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg\" alt=\"MTA-STS\" class=\"wp-image-4597\"\/><\/figure>\n\n\n\n<p>MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending servers that your domain only accepts email over encrypted TLS connections. Without it, the STARTTLS upgrade is optional \u2014 and attackers can force email to transmit in plaintext.<\/p>\n\n\n\n<p>The protocol works through two components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A DNS record announcing MTA-STS support<\/li>\n\n\n\n<li>An HTTPS-hosted policy file specifying encryption requirements<\/li>\n<\/ul>\n\n\n\n<p>When properly configured, sending servers must establish a verified TLS connection before delivering mail. If they can&#8217;t, the email doesn&#8217;t get delivered \u2014 protecting against interception and tampering.<\/p>\n\n\n\n<p>MTA-STS is typically deployed alongside TLS-RPT (TLS Reporting), which sends you daily reports on connection failures. Together, they provide enforcement plus visibility into what&#8217;s actually happening between mail servers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why does MTA-STS exist?<\/h2>\n\n\n\n<p>SMTP was designed in an era when encryption wasn&#8217;t a concern. The STARTTLS extension added optional TLS later, but &#8220;optional&#8221; became the vulnerability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The STARTTLS problem<\/h3>\n\n\n\n<p>If a sending server can&#8217;t establish TLS, it falls back to plaintext delivery. Attackers exploit this through downgrade attacks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Intercept the connection between the sending and receiving servers<\/li>\n\n\n\n<li>Read or modify email content undetected<\/li>\n\n\n\n<li>Block the STARTTLS negotiation<\/li>\n\n\n\n<li>Force plaintext transmission<\/li>\n<\/ul>\n\n\n\n<p>STARTTLS also <strong>skips<\/strong> certificate validation. A sending server accepts any certificate \u2014 expired, self-signed, or belonging to an imposter. Man-in-the-middle attacks become trivial when nobody checks credentials.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Vulnerability<\/td><td>What happens<\/td><td>MTA-STS solution<\/td><\/tr><tr><td>Opportunistic encryption<\/td><td>Falls back to plaintext if TLS fails<\/td><td>TLS required or delivery fails<\/td><\/tr><tr><td>Downgrade attacks<\/td><td>Attacker blocks TLS negotiation<\/td><td>No fallback permitted<\/td><\/tr><tr><td>No certificate validation<\/td><td>Any certificate accepted<\/td><td>Must be valid, trusted, hostname-matched<\/td><\/tr><tr><td>DNS spoofing<\/td><td>Attacker redirects MX to malicious server<\/td><td>Allowed MX hosts pinned in policy<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>MTA-STS closes these gaps by making TLS mandatory rather than hopeful.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How does MTA-STS work?<\/h2>\n\n\n\n<p>The mechanism relies on a two-part discovery and enforcement process that sending servers follow before delivering mail.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Discovery process<\/h3>\n\n\n\n<p>When a sending server wants to deliver email to your domain:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>DNS lookup \u2014 checks for a TXT record at _mta-sts.yourdomain.com<\/li>\n\n\n\n<li>Policy fetch \u2014 if the record exists, retrieves the policy file over HTTPS<\/li>\n\n\n\n<li>Validation \u2014 verifies the receiving server&#8217;s certificate matches the policy<\/li>\n\n\n\n<li>Delivery decision \u2014 delivers if validation passes; behavior on failure depends on policy mode<\/li>\n<\/ol>\n\n\n\n<p>The HTTPS requirement for the policy file is intentional. DNS can be spoofed (attackers redirect queries to malicious servers). HTTPS with certificate validation prevents fake policies from being served \u2014 the policy host itself must prove its identity.<\/p>\n\n\n\n<p>Major email providers support MTA-STS, including Gmail, Microsoft 365, and Yahoo. When you implement MTA-STS, mail from these senders arrives encrypted and verified.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What are the MTA-STS components?<\/h2>\n\n\n\n<p>Three pieces work together: a DNS record announcing support, a policy file defining rules, and (optionally) a reporting record for failure notifications.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">DNS TXT record<\/h3>\n\n\n\n<p>The first component signals MTA-STS support. Publish a TXT record at _mta-sts.yourdomain.com:<\/p>\n\n\n\n<p>v=STSv1; id=20241227001<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Field<\/td><td>Purpose<\/td><\/tr><tr><td>v=STSv1<\/td><td>Protocol version (always STSv1)<\/td><\/tr><tr><td>id=<\/td><td>Unique identifier \u2014 change when policy updates<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The id field matters more than it looks. Sending servers cache your policy (based on max_age). When you modify the policy file, increment the ID to force immediate re-fetch \u2014 otherwise, servers continue using stale cached versions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Policy file<\/h3>\n\n\n\n<p>The second component defines enforcement rules. Host a plaintext file at:<\/p>\n\n\n\n<p><a href=\"https:\/\/mta-sts.yourdomain.com\/.well-known\/mta-sts.txt\">https:\/\/mta-sts.yourdomain.com\/.well-known\/mta-sts.txt<\/a><\/p>\n\n\n\n<p>Example policy:<\/p>\n\n\n\n<p>version: STSv1<\/p>\n\n\n\n<p>mode: testing<\/p>\n\n\n\n<p>mx: mail.yourdomain.com<\/p>\n\n\n\n<p>mx: mail2.yourdomain.com<\/p>\n\n\n\n<p>max_age: 604800<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Field<\/td><td>Example<\/td><td>Purpose<\/td><\/tr><tr><td>version<\/td><td>STSv1<\/td><td>Protocol version<\/td><\/tr><tr><td>mode<\/td><td>testing<\/td><td>Enforcement level<\/td><\/tr><tr><td>mx<\/td><td>mail.yourdomain.com<\/td><td>Allowed MX host (one per line)<\/td><\/tr><tr><td>max_age<\/td><td>604800<\/td><td>Cache duration in seconds (604800 = 1 week)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The web server hosting this file must present a valid TLS certificate for the mta-sts subdomain. Self-signed certificates won&#8217;t work \u2014 sending servers validate before trusting the policy.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TLS-RPT record<\/h3>\n\n\n\n<p>The third component (optional but strongly recommended) enables failure reporting. Publish a TXT record at _smtp._tls.yourdomain.com:<\/p>\n\n\n\n<p>v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com<\/p>\n\n\n\n<p>Reports arrive daily in JSON format, detailing connection successes and failures. Without TLS-RPT, you&#8217;re enforcing blindly \u2014 problems remain invisible until someone complains about missing email.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What are the policy modes?<\/h2>\n\n\n\n<p>MTA-STS offers three enforcement levels, designed for phased rollout from monitoring to full enforcement.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Mode<\/td><td>Behavior<\/td><td>Use case<\/td><\/tr><tr><td>none<\/td><td>Disables MTA-STS<\/td><td>Decommissioning the policy<\/td><\/tr><tr><td>testing<\/td><td>Reports failures but delivers anyway<\/td><td>Initial rollout, troubleshooting<\/td><\/tr><tr><td>enforce<\/td><td>Rejects email if TLS validation fails<\/td><td>Production enforcement<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Testing mode<\/h3>\n\n\n\n<p>Start here. In testing mode, sending servers attempt TLS validation but deliver the email regardless of the outcome. Failures get reported via TLS-RPT.<\/p>\n\n\n\n<p>The testing phase reveals misconfigurations you didn&#8217;t know existed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Expired certificates on backup MX servers<\/li>\n\n\n\n<li>MX hosts are missing from the policy file<\/li>\n\n\n\n<li>Third-party services sending without TLS support<\/li>\n<\/ul>\n\n\n\n<p>Fix issues during testing. Verify clean reports before enabling enforcement.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Enforce mode<\/h3>\n\n\n\n<p>After reviewing 4-6 weeks of clean TLS-RPT data, upgrade to enforce mode. Now, sending servers <em>must<\/em> establish validated TLS. If they can&#8217;t, email isn&#8217;t delivered \u2014 it bounces back to the sender.<\/p>\n\n\n\n<p>When switching modes, update the policy file <em>and<\/em> increment the DNS record ID. Otherwise, sending servers continue using their cached testing-mode policy until max_age expires.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How do you implement MTA-STS?<\/h2>\n\n\n\n<p>Implementation follows a phased approach \u2014 setup, monitoring, then enforcement. Rushing to enforce mode before resolving certificate issues causes legitimate emails to bounce.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisites<\/h3>\n\n\n\n<p>Before deploying, verify your mail servers meet requirements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Support TLS 1.2 or higher<\/li>\n\n\n\n<li>Use valid certificates from recognized certificate authorities<\/li>\n\n\n\n<li>Certificates match MX hostnames exactly<\/li>\n<\/ul>\n\n\n\n<p>Run an <a href=\"https:\/\/emailwarmup.com\/email-deliverability-test\">email deliverability test<\/a> to check the current authentication and encryption status before starting.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Setup steps<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Phase<\/td><td>Actions<\/td><td>Timeline<\/td><\/tr><tr><td>DNS setup<\/td><td>Publish _mta-sts and _smtp._tls TXT records<\/td><td>Day 1<\/td><\/tr><tr><td>Policy hosting<\/td><td>Create mta-sts.txt with mode: testing<\/td><td>Day 1<\/td><\/tr><tr><td>Monitoring<\/td><td>Review TLS-RPT reports for failures<\/td><td>4-6 weeks<\/td><\/tr><tr><td>Resolution<\/td><td>Fix certificate and MX issues revealed in reports<\/td><td>As needed<\/td><\/tr><tr><td>Enforcement<\/td><td>Update policy to mode: enforce, increment ID<\/td><td>After clean reports<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The testing period matters. Four to six weeks provides enough data to catch intermittent issues \u2014 backup servers that only activate during outages, seasonal sending patterns, forgotten third-party integrations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is TLS-RPT and why does it matter?<\/h2>\n\n\n\n<p>TLS-RPT (SMTP TLS Reporting) provides visibility into what happens when servers try to deliver mail to your domain. Without it, MTA-STS operates as a black box.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Report contents<\/h3>\n\n\n\n<p>Sending servers that support TLS-RPT deliver daily JSON reports detailing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Failed connections with specific reasons<\/li>\n\n\n\n<li>Successful TLS connections (count and details)<\/li>\n\n\n\n<li>Policy information they retrieved from your domain<\/li>\n<\/ul>\n\n\n\n<p>Common failure reasons reveal specific problems:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Failure type<\/td><td>Meaning<\/td><\/tr><tr><td>starttls-not-supported<\/td><td>Sending server doesn&#8217;t support TLS<\/td><\/tr><tr><td>certificate-expired<\/td><td>Your mail server&#8217;s certificate expired<\/td><\/tr><tr><td>certificate-not-trusted<\/td><td>Certificate not from recognized CA<\/td><\/tr><tr><td>certificate-host-mismatch<\/td><td>Certificate doesn&#8217;t match MX hostname<\/td><\/tr><tr><td>validation-failure<\/td><td>MX host not listed in your policy<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>These reports function similarly to <a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/how-to-read-dmarc-reports\/\">DMARC reports<\/a> \u2014 aggregated feedback about authentication and security outcomes. The difference is that DMARC covers sender authentication while TLS-RPT covers transport encryption.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Using reports<\/h3>\n\n\n\n<p>During testing mode, TLS-RPT catches problems before they cause mail loss:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Typo in your policy file&#8217;s MX list<\/li>\n\n\n\n<li>Certificate expiring next week on a server you forgot about<\/li>\n\n\n\n<li>Partner organization sending from infrastructure without TLS<\/li>\n<\/ul>\n\n\n\n<p>Fix issues while testing mode still delivers the mail. Switch to enforce only after reports show consistent success.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How does MTA-STS relate to SPF, DKIM, and DMARC?<\/h2>\n\n\n\n<p><a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/spf-record\/\">SPF<\/a>, <a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/dkim\/\">DKIM<\/a>, and <a href=\"https:\/\/emailwarmup.com\/blog\/email-authentication\/dmarc\/\">DMARC<\/a> handle <em>authentication<\/em> \u2014 proving who sent the email and whether it was modified in transit.<\/p>\n\n\n\n<p>MTA-STS handles <em>transport<\/em> \u2014 encrypting the email while it moves between servers.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Protocol<\/td><td>Layer<\/td><td>Function<\/td><\/tr><tr><td>SPF<\/td><td>Authentication<\/td><td>Authorizes sending IP addresses<\/td><\/tr><tr><td>DKIM<\/td><td>Authentication<\/td><td>Cryptographically signs message content<\/td><\/tr><tr><td>DMARC<\/td><td>Authentication<\/td><td>Aligns SPF\/DKIM, sets policy for failures<\/td><\/tr><tr><td>MTA-STS<\/td><td>Transport<\/td><td>Enforces TLS encryption between servers<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>A domain with DMARC but no MTA-STS proves sender identity, but transmits content where anyone between servers can read it. A domain with MTA-STS but no DMARC encrypts transit but can&#8217;t verify senders.<\/p>\n\n\n\n<p>Authentication prevents spoofing and impersonation. Transport security prevents interception and eavesdropping. Implement both for complete protection \u2014 they address different attack vectors entirely.<\/p>\n\n\n\n<p>For domains already running SPF, DKIM, and DMARC, adding MTA-STS completes the security stack. The protocols don&#8217;t conflict \u2014 they complement each other across different layers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">TLS is a <em>must-have!<\/em><\/h2>\n\n\n\n<p>Combined with TLS-RPT, you get enforcement plus visibility into connection outcomes.&nbsp;<\/p>\n\n\n\n<p>For help implementing transport security alongside SPF, DKIM, and DMARC, an <a href=\"https:\/\/emailwarmup.com\/email-deliverability-consultant\">email deliverability consultant<\/a> can configure the full authentication and encryption stack.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently asked questions<\/h2>\n\n\n\n<p>Here are some commonly asked questions about MTA-STS:<\/p>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1766931581434\"><strong class=\"schema-faq-question\">Does MTA-STS protect outbound email?<\/strong> <p class=\"schema-faq-answer\">No. MTA-STS protects <em>inbound<\/em> email to your domain \u2014 it tells sending servers how to deliver mail <em>to you<\/em> securely. Outbound security depends on whether recipient domains have implemented MTA-STS. You can&#8217;t force encryption on domains that haven&#8217;t configured it.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1766931587497\"><strong class=\"schema-faq-question\">What happens if a sender doesn&#8217;t support MTA-STS?<\/strong> <p class=\"schema-faq-answer\">Sending servers that don&#8217;t support MTA-STS ignore your policy entirely. They continue delivering via opportunistic STARTTLS (or plaintext if STARTTLS fails). MTA-STS only affects compliant senders \u2014 fortunately, major providers like Gmail, Microsoft, and Yahoo all support it.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1766931593425\"><strong class=\"schema-faq-question\">Is MTA-STS the same as DANE?<\/strong> <p class=\"schema-faq-answer\">Both enforce TLS for email transport, but they work differently. DANE (DNS-Based Authentication of Named Entities) requires DNSSEC for security. MTA-STS uses HTTPS and certificate authorities instead. Most organizations find MTA-STS easier to implement since DNSSEC adoption remains limited.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1766931599370\"><strong class=\"schema-faq-question\">How long should max_age be?<\/strong> <p class=\"schema-faq-answer\">One to four weeks (604800 to 2419200 seconds) works for most domains. Longer values reduce DNS lookups but delay policy updates. Shorter values increase lookup frequency but allow faster changes. A week is a reasonable default for most situations.<\/p> <\/div> <\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending servers that your domain only accepts email over encrypted TLS connections. Without it, the STARTTLS upgrade is optional \u2014 and attackers can force email to transmit in plaintext. The protocol works through two components: When properly configured, sending servers must establish a verified TLS connection before [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4597,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-4596","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-email-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>MTA-STS Explained \u2014 TLS Encryption For Inbound Email<\/title>\n<meta name=\"description\" content=\"STARTTLS is optional &amp; attackers can bypass it. MTA-STS makes TLS mandatory for inbound, blocking downgrade attacks. Here&#039;s how to set up!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MTA-STS Explained \u2014 TLS Encryption For Inbound Email\" \/>\n<meta property=\"og:description\" content=\"STARTTLS is optional &amp; attackers can bypass it. MTA-STS makes TLS mandatory for inbound, blocking downgrade attacks. Here&#039;s how to set up!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/\" \/>\n<meta property=\"og:site_name\" content=\"Email Warmup\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-28T14:27:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-05T09:49:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"3533\" \/>\n\t<meta property=\"og:image:height\" content=\"2248\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Daniyal Dehleh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daniyal Dehleh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/\"},\"author\":{\"name\":\"Daniyal Dehleh\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/fb2aa8d9a54b3d4d28e96de4d49361a5\"},\"headline\":\"MTA-STS Explained \u2014 TLS Encryption For Inbound Email\",\"datePublished\":\"2025-12-28T14:27:18+00:00\",\"dateModified\":\"2026-03-05T09:49:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/\"},\"wordCount\":1562,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg\",\"articleSection\":[\"Email Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/\",\"url\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/\",\"name\":\"MTA-STS Explained \u2014 TLS Encryption For Inbound Email\",\"isPartOf\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg\",\"datePublished\":\"2025-12-28T14:27:18+00:00\",\"dateModified\":\"2026-03-05T09:49:49+00:00\",\"description\":\"STARTTLS is optional & attackers can bypass it. MTA-STS makes TLS mandatory for inbound, blocking downgrade attacks. Here's how to set up!\",\"breadcrumb\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931581434\"},{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931587497\"},{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931593425\"},{\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931599370\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#primaryimage\",\"url\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg\",\"contentUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg\",\"width\":3533,\"height\":2248,\"caption\":\"MTA-STS\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/emailwarmup.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MTA-STS Explained \u2014 TLS Encryption For Inbound Email\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#website\",\"url\":\"https:\/\/emailwarmup.com\/blog\/\",\"name\":\"Email WarmUp\",\"description\":\"100% Inbox Guaranteed.\",\"publisher\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/emailwarmup.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#organization\",\"name\":\"Email WarmUp\",\"url\":\"https:\/\/emailwarmup.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/Group-42350.png\",\"contentUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/Group-42350.png\",\"width\":400,\"height\":271,\"caption\":\"Email WarmUp\"},\"image\":{\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/fb2aa8d9a54b3d4d28e96de4d49361a5\",\"name\":\"Daniyal Dehleh\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/image-2.png\",\"contentUrl\":\"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/image-2.png\",\"caption\":\"Daniyal Dehleh\"},\"description\":\"Daniyal is an award-winning email marketing and deliverability consultant trusted by global brands like LA Fitness, Remax, and Deel. With a proven record of boosting open rates, click-throughs, and ROI by 300% or more, he is recognized as a renowned email marketing expert. For over a decade, he has refined a top-down optimization strategy that aligns technical infrastructure, creative execution, and a tight feedback loop into a system that delivers consistent results for companies of all sizes. Now, Daniyal is pulling back the curtain to share the proven frameworks and insights he\u2019s gathered\u2014helping businesses worldwide achieve the highest possible ROI from their email programs.\",\"url\":\"https:\/\/emailwarmup.com\/blog\/author\/daniyaldehleh\/\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931581434\",\"position\":1,\"url\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931581434\",\"name\":\"Does MTA-STS protect outbound email?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"No. MTA-STS protects <em>inbound<\/em> email to your domain \u2014 it tells sending servers how to deliver mail <em>to you<\/em> securely. Outbound security depends on whether recipient domains have implemented MTA-STS. You can't force encryption on domains that haven't configured it.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931587497\",\"position\":2,\"url\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931587497\",\"name\":\"What happens if a sender doesn't support MTA-STS?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Sending servers that don't support MTA-STS ignore your policy entirely. They continue delivering via opportunistic STARTTLS (or plaintext if STARTTLS fails). MTA-STS only affects compliant senders \u2014 fortunately, major providers like Gmail, Microsoft, and Yahoo all support it.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931593425\",\"position\":3,\"url\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931593425\",\"name\":\"Is MTA-STS the same as DANE?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Both enforce TLS for email transport, but they work differently. DANE (DNS-Based Authentication of Named Entities) requires DNSSEC for security. MTA-STS uses HTTPS and certificate authorities instead. Most organizations find MTA-STS easier to implement since DNSSEC adoption remains limited.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931599370\",\"position\":4,\"url\":\"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931599370\",\"name\":\"How long should max_age be?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"One to four weeks (604800 to 2419200 seconds) works for most domains. Longer values reduce DNS lookups but delay policy updates. Shorter values increase lookup frequency but allow faster changes. A week is a reasonable default for most situations.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MTA-STS Explained \u2014 TLS Encryption For Inbound Email","description":"STARTTLS is optional & attackers can bypass it. MTA-STS makes TLS mandatory for inbound, blocking downgrade attacks. Here's how to set up!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/","og_locale":"en_US","og_type":"article","og_title":"MTA-STS Explained \u2014 TLS Encryption For Inbound Email","og_description":"STARTTLS is optional & attackers can bypass it. MTA-STS makes TLS mandatory for inbound, blocking downgrade attacks. Here's how to set up!","og_url":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/","og_site_name":"Email Warmup","article_published_time":"2025-12-28T14:27:18+00:00","article_modified_time":"2026-03-05T09:49:49+00:00","og_image":[{"width":3533,"height":2248,"url":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg","type":"image\/jpeg"}],"author":"Daniyal Dehleh","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Daniyal Dehleh","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#article","isPartOf":{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/"},"author":{"name":"Daniyal Dehleh","@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/fb2aa8d9a54b3d4d28e96de4d49361a5"},"headline":"MTA-STS Explained \u2014 TLS Encryption For Inbound Email","datePublished":"2025-12-28T14:27:18+00:00","dateModified":"2026-03-05T09:49:49+00:00","mainEntityOfPage":{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/"},"wordCount":1562,"commentCount":0,"publisher":{"@id":"https:\/\/emailwarmup.com\/blog\/#organization"},"image":{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#primaryimage"},"thumbnailUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg","articleSection":["Email Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/","url":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/","name":"MTA-STS Explained \u2014 TLS Encryption For Inbound Email","isPartOf":{"@id":"https:\/\/emailwarmup.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#primaryimage"},"image":{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#primaryimage"},"thumbnailUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg","datePublished":"2025-12-28T14:27:18+00:00","dateModified":"2026-03-05T09:49:49+00:00","description":"STARTTLS is optional & attackers can bypass it. MTA-STS makes TLS mandatory for inbound, blocking downgrade attacks. Here's how to set up!","breadcrumb":{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931581434"},{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931587497"},{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931593425"},{"@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931599370"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#primaryimage","url":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg","contentUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg","width":3533,"height":2248,"caption":"MTA-STS"},{"@type":"BreadcrumbList","@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/emailwarmup.com\/blog\/"},{"@type":"ListItem","position":2,"name":"MTA-STS Explained \u2014 TLS Encryption For Inbound Email"}]},{"@type":"WebSite","@id":"https:\/\/emailwarmup.com\/blog\/#website","url":"https:\/\/emailwarmup.com\/blog\/","name":"Email WarmUp","description":"100% Inbox Guaranteed.","publisher":{"@id":"https:\/\/emailwarmup.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/emailwarmup.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/emailwarmup.com\/blog\/#organization","name":"Email WarmUp","url":"https:\/\/emailwarmup.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/Group-42350.png","contentUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/Group-42350.png","width":400,"height":271,"caption":"Email WarmUp"},"image":{"@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/fb2aa8d9a54b3d4d28e96de4d49361a5","name":"Daniyal Dehleh","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/emailwarmup.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/image-2.png","contentUrl":"https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/05\/image-2.png","caption":"Daniyal Dehleh"},"description":"Daniyal is an award-winning email marketing and deliverability consultant trusted by global brands like LA Fitness, Remax, and Deel. With a proven record of boosting open rates, click-throughs, and ROI by 300% or more, he is recognized as a renowned email marketing expert. For over a decade, he has refined a top-down optimization strategy that aligns technical infrastructure, creative execution, and a tight feedback loop into a system that delivers consistent results for companies of all sizes. Now, Daniyal is pulling back the curtain to share the proven frameworks and insights he\u2019s gathered\u2014helping businesses worldwide achieve the highest possible ROI from their email programs.","url":"https:\/\/emailwarmup.com\/blog\/author\/daniyaldehleh\/"},{"@type":"Question","@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931581434","position":1,"url":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931581434","name":"Does MTA-STS protect outbound email?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"No. MTA-STS protects <em>inbound<\/em> email to your domain \u2014 it tells sending servers how to deliver mail <em>to you<\/em> securely. Outbound security depends on whether recipient domains have implemented MTA-STS. You can't force encryption on domains that haven't configured it.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931587497","position":2,"url":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931587497","name":"What happens if a sender doesn't support MTA-STS?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Sending servers that don't support MTA-STS ignore your policy entirely. They continue delivering via opportunistic STARTTLS (or plaintext if STARTTLS fails). MTA-STS only affects compliant senders \u2014 fortunately, major providers like Gmail, Microsoft, and Yahoo all support it.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931593425","position":3,"url":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931593425","name":"Is MTA-STS the same as DANE?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Both enforce TLS for email transport, but they work differently. DANE (DNS-Based Authentication of Named Entities) requires DNSSEC for security. MTA-STS uses HTTPS and certificate authorities instead. Most organizations find MTA-STS easier to implement since DNSSEC adoption remains limited.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931599370","position":4,"url":"https:\/\/emailwarmup.com\/blog\/email-security\/mta-sts\/#faq-question-1766931599370","name":"How long should max_age be?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"One to four weeks (604800 to 2419200 seconds) works for most domains. Longer values reduce DNS lookups but delay policy updates. Shorter values increase lookup frequency but allow faster changes. A week is a reasonable default for most situations.","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"uagb_featured_image_src":{"full":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",3533,2248,false],"thumbnail":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",150,95,false],"medium":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",300,191,false],"medium_large":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",768,489,false],"large":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",1024,652,false],"1536x1536":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",1536,977,false],"2048x2048":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",2048,1303,false],"profile_24":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",24,15,false],"profile_48":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",48,31,false],"profile_96":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",96,61,false],"profile_150":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",150,95,false],"profile_300":["https:\/\/emailwarmup.com\/blog\/wp-content\/uploads\/2025\/12\/MTA-STS_11zon.jpg",300,191,false]},"uagb_author_info":{"display_name":"Daniyal Dehleh","author_link":"https:\/\/emailwarmup.com\/blog\/author\/daniyaldehleh\/"},"uagb_comment_info":0,"uagb_excerpt":"MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending servers that your domain only accepts email over encrypted TLS connections. Without it, the STARTTLS upgrade is optional \u2014 and attackers can force email to transmit in plaintext. The protocol works through two components: When properly configured, sending servers must establish a verified TLS connection before&hellip;","_links":{"self":[{"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/posts\/4596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/comments?post=4596"}],"version-history":[{"count":2,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/posts\/4596\/revisions"}],"predecessor-version":[{"id":4914,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/posts\/4596\/revisions\/4914"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/media\/4597"}],"wp:attachment":[{"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/media?parent=4596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/categories?post=4596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emailwarmup.com\/blog\/wp-json\/wp\/v2\/tags?post=4596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}