We've replaced the obsolete HPKP header with DANE TLSA records pinning our keys for our important web servers (grapheneos.org, releases.grapheneos.org, attestation.app).
Sadly, browsers don't support DANE, but it's trivial to set up and maintain, so why not?
Conversation
Our mail server has used DANE from the beginning. Unlike browsers, there's broad support for it among mail servers.
Gmail doesn't support it for political reasons. MTA-STS only provides an equivalent to HSTS without preloading. It relies on DNS security regardless, as do CAs.
1
2
16
They have DANE records for securely sending mail to their server, but you would need to use havedane.net to check if they support enforcing DANE for sending mail. Send an email to the 3 randomly generated addresses listed there and keep the page open for results.
Only the domain without DANE and the domain with valid DANE should receive your email. The domain without it shouldn't receive it. If it does, it means they don't enforce DANE for sending email, which is a common problem. Often, people only set up the DNS records not enforcement.
1
1
Show replies