We've replaced the obsolete HPKP header with DANE TLSA records pinning our keys for our important web servers (grapheneos.org, releases.grapheneos.org, attestation.app).
Sadly, browsers don't support DANE, but it's trivial to set up and maintain, so why not?
Conversation
Our mail server has used DANE from the beginning. Unlike browsers, there's broad support for it among mail servers.
Gmail doesn't support it for political reasons. MTA-STS only provides an equivalent to HSTS without preloading. It relies on DNS security regardless, as do CAs.
1
2
16
They have DANE records for securely sending mail to their server, but you would need to use havedane.net to check if they support enforcing DANE for sending mail. Send an email to the 3 randomly generated addresses listed there and keep the page open for results.
2
3
Only the domain without DANE and the domain with valid DANE should receive your email. The domain without it shouldn't receive it. If it does, it means they don't enforce DANE for sending email, which is a common problem. Often, people only set up the DNS records not enforcement.
1
1
That means they only added the DNS records and didn't enable DANE verification in their mail server. So, people can send you mail secured by DANE, but when you send emails to servers with DANE support they don't bother verifying it. It's trivial to enable it too.
1
3
For example, with Postfix, install unbound, set it up as the DNS server, then add `set smtp_dns_support_level = dnssec` and `smtp_tls_security_level = dane` to the Postfix configuration. Enforcing it for outbound mail is really the easy part. Maintaining DNS records is more work.
2
2
Many mail providers make the same mistake with DMARC. They set up DNS records for other mail servers to check to prevent spoofing emails from their domain, but they don't properly enforce it themselves. I think the issue is focusing on results from security scanning services.
1
1
They have "v=DMARC1; p=quarantine; fo=1;" as their DMARC policy, which is acceptable (could be better) for preventing spoofing from your address.
However, you would need to send a spoofed email from an address with a DMARC quarantine or reject policy to see if they enforce it.
Gmail has a p=none policy which allows anyone can send spoofed emails from .com. Don't believe the hype that Gmail is a secure email provider. Doesn't support DANE at all either, and their MTA-STS uses a max-age of 1 day so it expires if you don't send them email daily.