On 9/20/21 13:11, Viktor Dukhovni via Exim-users wrote:
> If you care about SMTP transport security, do DANE, but make sure you
> implement monitoring and a robust key rollover process. Just turning
> DANE on and neglecting it does nobody any good.
May be worth mentioning - Comcast will send TLS-RPT reports that include DANE information, and
hopefully others follow. Given Microsoft already sends TLS-RPT reports hopefully they do too when
they roll out DANE for outbound mail "this year" [1].
Of course don't rely on third parties exclusively for your monitoring, especially not if they can't
send you mail when things go down, but it may be helpful to configure.
Matt
[1]
https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=dnssec
