On 9/20/21 13:11, Viktor Dukhovni via Exim-users wrote:
If you care about SMTP transport security, do DANE, but make sure you implement monitoring and a robust key rollover process. Just turning DANE on and neglecting it does nobody any good.
May be worth mentioning - Comcast will send TLS-RPT reports that include DANE information, and hopefully others follow. Given Microsoft already sends TLS-RPT reports hopefully they do too when they roll out DANE for outbound mail "this year" [1].
Of course don't rely on third parties exclusively for your monitoring, especially not if they can't send you mail when things go down, but it may be helpful to configure.
Matt [1] https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=dnssec -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
