Mail autoconfig protocol allows email clients to automatically configure email accounts. This report creates the RFC to standardize the protocol within the IETF.
DNS SRV is just as insecure as HTTP.
Everybody immediately screams "insecure!!!!" when they see HTTP, but then the very same persons want support for DNS SRV.
(DNSSEC is not helping, because it's deployed in less than 1% of the domains, and shrinking.)
DNS SRV does not give me all the necessary info for autoconfig. I don't know which authentication methods actually work (see the note in the spec why IMAP/SMTP CAPABILITIES do not help), I don't know the username form, and lots of other info that is in autoconfig. I cannot get a working config with DNS SRV. DNS SRV being insufficient is the whole reason why we need autoconfig.
We could invent a new SRV server record that points to autoconfig. Given that it would be new, support by mail providers would be very very limited. And it's an additional lookup.
DNS SRV is a very old standard, but nonetheless still not very widely deployed on the "long tail" of domains. For large ISPs, we have https://autoconfig.domain and the ISPDB.
DNS MX gives me the same information (in 99.5% of the cases), and it's available on 100% of the domains.
It's the combination of all these factors (but particularly 1 and 2) which make DNS SRV very unattractive.
We already make over a dozen server requests for a single email address autoconfig. We need to limit the number of queries. If a query doesn't significantly add to the detection rates, nor helps with an important case, it shouldn't be in the spec.
Why do we not support DNS SRV:
DNS SRV is just as insecure as HTTP. Everybody immediately screams "insecure!!!!" when they see HTTP, but then the very same persons want support for DNS SRV. (DNSSEC is not helping, because it's deployed in less than 1% of the domains, and shrinking.)
DNS SRV does not give me all the necessary info for autoconfig. I don't know which authentication methods actually work (see the note in the spec why IMAP/SMTP CAPABILITIES do not help), I don't know the username form, and lots of other info that is in autoconfig. I cannot get a working config with DNS SRV. DNS SRV being insufficient is the whole reason why we need autoconfig. We could invent a new SRV server record that points to autoconfig. Given that it would be new, support by mail providers would be very very limited. And it's an additional lookup.
DNS SRV is a very old standard, but nonetheless still not very widely deployed on the "long tail" of domains. For large ISPs, we have https://autoconfig.domain and the ISPDB.
DNS MX gives me the same information (in 99.5% of the cases), and it's available on 100% of the domains.
It's the combination of all these factors (but particularly 1 and 2) which make DNS SRV very unattractive.
We already make over a dozen server requests for a single email address autoconfig. We need to limit the number of queries. If a query doesn't significantly add to the detection rates, nor helps with an important case, it shouldn't be in the spec.