I wonder how long it'll be before large companies require DNSSEC (and verify) + TLS for delivering email 2FA codes.
My guess is never, despite the relative ease that those codes can be spied upon.
Conversation
Replying to
Need TLSA records (DANE) in addition to DNSSEC to provide TLS authentication for email.
MTA-STS is a much weaker approach. Requires DNS records and an HTTPS web server which it uses to fetch an mta-sts.txt file similar to dynamic (no preload) HSTS if you only used http:// URLs.
2
9
Replying to
Yes, I was thinking of mentioning TLSA records, but so many people don't even do the few I mentioned. (I have TLSA records deployed for my mail server, but I don't know if my MTA will check and verify the TLSA record?).
2
On that last point, has anyone setup a server that has things like broken TLSA records to test to see if you server does proper verification of the different parts (bad DNSSEC record, mismatched TLSA record, etc)? Seems like a useful thing to have.
1
1
Maybe havedane.net helps you a little bit. For some โbadโ DNSSEC domains see workbench.sidnlabs.nl/bad-dnssec.html
1
1
Doubtful as I want a service that accepts mta requests to verify that the mta verifies and bounces email when there's invalid records. That only verifies if a domain is configured properly.
1
1
havedane.net gives you temporary addresses to send email and then checks if you have DANE verification based on which emails it receives.