In article <20191007002348(_dot_)GA23742(_at_)x2(_dot_)esmtp(_dot_)org> you
What's wrong with MTS-STS defined in RFC 8461?
It requires an HTTPS server, thus adding an extra service and moving
the "trust" problem to CAs (AFAICT).
I was there when we were defining MTA-STS and the people involved,
who work for companies that probably handle the majority of all of
the mail in the world, did not want it to depend on DNSSEC for
See sections 2 and 10 of RFC 8461.
If you like DNSSEC, you can publish a DANE TLSA record for your SMTP
server, and systems like Comcast that pay attention to DNSSEC will use
it to check that you support TLS and have the right cert.
ietf-smtp mailing list