Tip: if you're using Gmail for mail on your own domain, change your MX records to mx[1-4].smtp.goog to get DNSSEC+DANE protection on your email.
Conversation
Replying to
It's just DNSSEC without DANE right now. If a lot more people use it, maybe they'll take that as a signal for people wanting DANE and add records. It would be really easy for them. Can set up MTA-STS with it though, and DNSSEC makes that work better than just Trust On First Use.
Replying to
Oh weird, I thought it had DANE too... Am I misremembering or is there a different domain that does?
1
Replying to
I don't think they have TLSA records for their mail servers. They could easily add them, especially since they use the same TLS infrastructure they do elsewhere and they use pinning for their web sites, update servers, etc. via pinning the valid CAs for their properties.
2
1
Show replies