Tip: if you're using Gmail for mail on your own domain, change your MX records to mx[1-4].smtp.goog to get DNSSEC+DANE protection on your email.
Conversation
Replying to
It's just DNSSEC without DANE right now. If a lot more people use it, maybe they'll take that as a signal for people wanting DANE and add records. It would be really easy for them. Can set up MTA-STS with it though, and DNSSEC makes that work better than just Trust On First Use.
1
1
Replying to
Oh weird, I thought it had DANE too... Am I misremembering or is there a different domain that does?
1
Replying to
I don't think they have TLSA records for their mail servers. They could easily add them, especially since they use the same TLS infrastructure they do elsewhere and they use pinning for their web sites, update servers, etc. via pinning the valid CAs for their properties.
There's a good chance they would be completely willing to add TLSA records to those if someone got in touch with the right person and communicated it properly, especially mentioning the similarity to the pinning they use elsewhere.
1
1
Maybe bring up Microsoft's embrace of DNSSEC + DANE. G Suite customers just need to start asking for it and making a good case for it (mention pinning they use elsewhere including web sites, update_engine and so on + Microsoft's Outlook annoucement, etc.).
1
2
Show replies
Replying to
Yes, just pinning to their own root would be trivial. Of course you could do that with your own CNAMEs pointing at mx[1-4].smtp.goog.
1
Hmm, no, you can't do DANE-TA with a CNAME like that because the name won't match. You'd have to do DANE-EE which would be too fragile with somebody else's server...