If you’re familiar with Google’s HSTS preload project then STARTTLS preloading should come as no surprise.
The Electronic Frontier Foundation (EFF) created the STARTTLS Everywhere project to address security weaknesses in the email ecosystem and work in conjunction with MTA-STS. More about the EFF STARTTLS Everywhere project can be found here: https://starttls-everywhere.org/about/ and Hardenize mentions the STARTTLS Everywhere project in their MTA-STS blog post: https://www.hardenize.com/blog/mta-sts.
So how does one get started?
- Check your domain here: https://starttls-everywhere.org/
- Meet the minimum requirements for submission:
- Support STARTTLS;
- Use a secure version of TLS ensuring that SSLv2 and SSLv3 are not being used;
- Use a valid certificate.
- Since I’m using Google Apps for Business, Google has my MX records and Google supports STARTTLS. Other major email providers like Microsoft and Protonmail also pass on the list. If you’re using a private email system or a less widely-known provider, you may need some additional leg work.
- Click on the “+ Add your email domain to the STARTTLS Policy List” box and fill in your domain details but don’t hit the “SUBMIT YOUR DOMAIN” button just yet! See #5 below.
- You must be able to receive email at “firstname.lastname@example.org”. If you’re using Google Apps for Business, create a new group called “postmaster” and add your email address to that postmaster group.
- Once your postmaster address is configured (and validated), click on the “SUBMIT YOUR DOMAIN” button. Check your email for a validation link from the EFF.
- Once you click the validation link, you should get a “Success!” message.
Because this was introduced in 2018 and is so new to the security stack, I’m not sure about adoption rates using this EFF tool. Similar to MTA-STS’ introduction in 2018, time will tell on how resourceful this turns about to be. The good news is that you’ll be in line once adoption rates pick up and usage grows.
Interested in the technical details and how to contribute? Check out the EFF Deep Dive post here: https://www.eff.org/deeplinks/2018/06/technical-deep-dive-starttls-everywhere.