MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) is the email equivalent of HSTS. A receiving domain publishes a TXT record at _mta-sts.example.com plus an HTTPS-hosted policy file declaring "only deliver mail to my MX hosts over TLS, and only if the certificate is valid for the MX hostname." Senders that support MTA-STS will refuse to fall back to plaintext SMTP or accept a self-signed certificate, defeating downgrade attacks on inbound mail. MTA-STS is usually deployed alongside TLS-RPT, which provides reports when something fails.