xs4all enabled DANE outgoing verification

Bjørn Mork bjorn at mork.no
Mon Sep 3 14:25:32 CEST 2018

Viktor Dukhovni <ietf-dane at dukhovni.org> writes:

> For those publishing TLSA records for inbound DANE, please make *sure* that
> you're offering STARTTLS *unconditionally*, to all SMTP clients with no
> restrictions by client IP address or reputation.  Configurations that
> restrict STARTTLS to a set of "good" IPs are not compatible with DANE.

This is indeed an important point to consider.  Never thought of the
possibility that the same client would first fail TLS and then start
using DANE at some later point in time.

> If STARTTLS was disabled with some client IPs for interoperability reasons,
> resolve those first.

In a perfect world, yes.  But in practice: How do you do that?

I don't think it is realistic to offer STARTTLS without some local
exception list.  There are just too many buggy clients and ignorant


More information about the dane-users mailing list