I wonder how long it'll be before large companies require DNSSEC (and verify) + TLS for delivering email 2FA codes.
My guess is never, despite the relative ease that those codes can be spied upon.
Conversation
Replying to
Need TLSA records (DANE) in addition to DNSSEC to provide TLS authentication for email.
MTA-STS is a much weaker approach. Requires DNS records and an HTTPS web server which it uses to fetch an mta-sts.txt file similar to dynamic (no preload) HSTS if you only used http:// URLs.
2
9
DANE is really easy to deploy if you're already using DNSSEC on the domains receiving mail and your MX domain(s). You just add a single TLSA record pinning leaf key for the MX server federation port and then you can add another alongside it when phasing in a key for rotation.
1
2
Can set TTL low and then it's not a big deal if you screw up the TLSA key rotations, especially since mail servers are required to retry sending mail multiple times on temporary failures such as failing to connect/auth by the standard and usually spend a long time retrying.
Replying to
Yeah, I've ran across PLENTY of mail servers that don't do retry. It's most common among spammers, but there are plenty of legitimate businesses that don't honor 4xx codes (or have a timeout to be so long it's useless).
1