On Thu, Mar 25, 2021 at 12:03:25AM +0000, Richard Clayton wrote:
The only other game in town is MTA-STS, which is a Rube Goldberg
contraption with DNS text records, long-term policy caches, HTTPS
services and having to duplicate MX records outside of DNS. It isn't
gaining broad traction beyond the large providers.
Indeed ... but it fixes the actual real world problem which the large
providers have
That's fine, I don't begrudge them that choice. I even helped with
crafting the specification. But since I am not a fan of centralised
email, I think it is healthy to have a cleaner design that isn't
primarily tied to the short-term needs of the largest providers.
In terms of breadth of adoption (number of supporting inbound inbound
domains and MTAs) DANE is presently competing favourably with MTA-STS.
$ curl -sLo - https://mta-sts.outlook.com/.well-known/mta-sts.txt
version: STSv1
mode: testing
mx: *.olc.protection.outlook.com
max_age: 604800
$ curl -sLo - https://mta-sts.yahoo.com/.well-known/mta-sts.txt
version: STSv1
mode: testing
mx: *.am0.yahoodns.net
mx: *.mail.gm0.yahoodns.net
mx: *.mail.am0.yahoodns.net
max_age: 86400
So it looks like the MTA-STS club in the USA is Google and Comcast:
$ curl -sLo - https://mta-sts.comcast.net/.well-known/mta-sts.txt
version: STSv1
mode: enforce
mx: mx1.comcast.net
mx: mx2.comcast.net
max_age: 2592000
$ curl -sLo - https://mta-sts.gmail.com/.well-known/mta-sts.txt
version: STSv1
mode: enforce
mx: gmail-smtp-in.l.google.com
mx: *.gmail-smtp-in.l.google.com
max_age: 86400
with Microsoft and Yahoo still not live with the spec 2.5 years old.
It never made sense. Just do STARTTLS if unverified DNS is good
enough, so are unverified certificates.
There's a growing literature on why security standards are widely
adopted (and why so many fail) along with a pretty good understanding of
what levers are available ...
Some of it is perhaps even reflected in RFC7435. Again, we have
STARTTLS, that's the cake. DANE and MTA-STS are icing.
--
Viktor.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp