DANE support for spamgourmet.org and other domains

[mikedlr]

In order to get email accepted by various mail providers, spamgourmet should support the DANE protocol which requires DNS support.

• unfortunately our current DNS provider does not provide support for DANE
• unfortunately it seems we'd have to get a paid provider that does

This ticket exists to gather discussions for the development team for improvement and to gather support on fixing that. There is lots of discussion in the BBS which covers this and should be linked.

The DKIM/DMARC ticket should also be taken into account https://github.com/spamgourmet/spamgourmet/issues/28

[mikedlr]

This awaits a financial decision.

[mikedlr]

According to this answer Gandi supports DANE at least to some extent. They have an okay reputation so might be worth trying.

https://serverfault.com/questions/1045014/dnssec-dns-domain-providers-that-enable-dane-dns-records also cloudflare https://community.cloudflare.com/t/support-for-tlsa-dane-proto/9881?page=2

OVH is also recorded as being able to provide DANE but not clear if a server there is needed https://schnouki.net/post/2014/tlsa-records-on-ovh/

[vasile-gh]

I use OVH to host several domains, including a SG clone. You do not need your server to be hosted by them.

[vasile-gh]

Furthermore, the domain of my SG clone is fully DANE-compliant - OVH allows the creation of all necessary DNS records. Also, DNS operations can also be automated via API :-).

And since we are talking about securing spamgourmet, OVH also has the necessary APIs to integrate with Let's Encrypt - I arranged things so my TLS certificate is automatically renewed as per Let's Encrypt guidelines.

[josiah-hamilton]

Thanks Vasile, I'll look into OVH.