ScottPeterJohnson
commented
1 year ago I'd be happy to implement DANE, though I'm not sure what it'd require yet or how it's different from MTA-STS, which seems to do some of the same thing. As far as I can tell, DANE might actually work without requiring us to procure an SSL record for customer domains yet, which is nice, though it seems like the DANE record might have to update every time our SSL certificate changes? Not sure.
Route53 does seem to support DNSSEC now, so enabling that might be pretty easy, at least for ultimate DNS records hosted by us. I'll take a look at that soon; I'm not sure if there are any gotchas there.
ebblake
catharsis71
Kreeblah
I'm not an expert on email, but my basic understanding is that normally server to server emails aren't very secure, and that as certain features of DMARC, DKIM, and SPF rely upon accurate DNS records they are vulnerable to the many attacks against DNS infrastructure unless DNSSEC is used. Further my understanding of server to server email encryption is that it is by default opportunistic, and therefore vulnerable to downgrade attacks. I would also therefore like to request support for DANE to ensure that no one can read email messages in transit between servers (for example Microsoft is slowly adding support for this to the emails that they manage https://techcommunity.microsoft.com/t5/exchange-team-blog/releasing-outbound-smtp-dane-with-dnssec/ba-p/3100920).
I apologize if this should really be separated into two issues instead of one (I can do that if you want, or feel free to do it yourself). The issues seemed connected enough to be worth posting together to me.
Edit: see https://dnsviz.net/d/purelymail.com/dnssec/