We've replaced the obsolete HPKP header with DANE TLSA records pinning our keys for our important web servers (grapheneos.org, releases.grapheneos.org, attestation.app).
Sadly, browsers don't support DANE, but it's trivial to set up and maintain, so why not?
Conversation
Our mail server has used DANE from the beginning. Unlike browsers, there's broad support for it among mail servers.
Gmail doesn't support it for political reasons. MTA-STS only provides an equivalent to HSTS without preloading. It relies on DNS security regardless, as do CAs.
1
2
16
They have DANE records for securely sending mail to their server, but you would need to use havedane.net to check if they support enforcing DANE for sending mail. Send an email to the 3 randomly generated addresses listed there and keep the page open for results.
2
3
Only the domain without DANE and the domain with valid DANE should receive your email. The domain without it shouldn't receive it. If it does, it means they don't enforce DANE for sending email, which is a common problem. Often, people only set up the DNS records not enforcement.
That means they only added the DNS records and didn't enable DANE verification in their mail server. So, people can send you mail secured by DANE, but when you send emails to servers with DANE support they don't bother verifying it. It's trivial to enable it too.
1
3
Show replies