Until roughly today, at least the primary MX host for "exim.org" had DANE TLSA records. Today, they're gone (I hope temporarily). And ideally (subject to real world constraints, and all that), it would even be could for the secondary MX to be signed and have TLSA RRs.
; NOERROR AD=1 exim.org. IN MX 10 cumin.exim.org. exim.org. IN MX 15 mx2.wizmail.org. ; NOERROR AD=1 cumin.exim.org. IN A 37.120.190.30 ; NOERROR AD=1 cumin.exim.org. IN AAAA 2a03:4000:6:b381::2 ; NXDOMAIN AD=1 _25._tcp.cumin.exim.org. IN TLSA ? ; NOERROR AD=0 mx2.wizmail.org. IN A 85.158.153.59 ; NOERROR AD=0 mx2.wizmail.org. IN AAAA 2a00:1940:2:3::2:59 And of course, if DANE to be done, take your time, do it well (monitoring, and a robust rollover process). -- Viktor. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/