From last week: "While it seems that Gmail is the current example of MTA-STS-only, that could always change. We still have tons of providers that support neither, and I'd take either as a step above Opportunistic TLS."
Grabbing a sample of "large" rcpt domains from our platforms for the past 24hrs, we can see who has which policies: Domain TLSA/DANE MTA-STS TLSRPT (requesting, not sending) gmail.com N Y Y yahoo.com N Y (testing) Y hotmail.com N Y Y aol.com N N N outlook.com N Y Y icloud.com N N N me.com N N N msn.com N N N verizon.net N N N att.net N N N sbcglobal.net N N N live.com N Y Y mac.com N N N bellsouth.net N N N protonmail.com Y Y Y As we're largely people sending to people, this doesn't take into account the oodles of corporations that haven't gotten anywhere near DANE or MTA-STS. I'm happy to provide further statistics as to what we're seeing while sending, but I don't think we're ready to pretend that MTA-STS doesn't have a place in securing message transmission above the level which "Opportunistic TLS" provides. -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast > -----Original Message----- > From: mailop <mailop-boun...@mailop.org> On Behalf Of Matt Corallo via > mailop > Sent: Wednesday, April 27, 2022 11:40 PM > To: Jesse Hathaway <je...@mbuki-mvuki.org>; mailop@mailop.org > Subject: [EXTERNAL] Re: [mailop] Troubleshooting MTA-STS reports > > Not to flame but...why bother? > > At this point TLSA/DANE is enforced on mail coming from a number of the Big > Players, and most open source mail stacks by default (well, some you have to > opt in to indicate your DNSSEC resolver is behaving correctly). > > AFAIK, the *only* shop that enforces the rube-goldberg machine that is > MTA-STS that doesn't also enforce TLSA/DANE is Google. And skipping it > avoids the pain of setting up a number of steps and, for some reason, > introducing an HTTP server into your mail-receiving stack?! > > Matt > > On 4/26/22 12:31 PM, Jesse Hathaway via mailop wrote: > > Hello mailopers, > > > > I am trying to setup MTA-STS for my domain, I thought I had everything > > configured correctly, in testing mode, but I never receive any reports > > via TLSRPT. If anyone has any advice on how to troubleshoot, that > > would be greatly appreciated. Yours kindly, Jesse Hathaway > > > > My current config > > > > $ dig +short txt _mta-sts.mbuki-mvuki.org "v=STSv1; > > id=20220404T193755Z;" > > > > $ curl > > https://urldefense.com/v3/__https://mta-sts.mbuki-mvuki.org/.well- > know > > n/mta-sts.txt__;!!CQl3mcHX2A!Ew0q- > TZdEj0kCwTWc6y7GXVghSLhUVSnTuo_0rI_I > > F_tZc_pcRaY5buyw9rsQDWRJ8M7wvSXlD14cBarqLE$ > > version: STSv1 > > mode: testing > > mx: aspmx.l.google.com > > mx: *.aspmx.l.google.com > > max_age: 86400 > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://urldefense.com/v3/__https://list.mailop.org/listinfo/mailop__; > > !!CQl3mcHX2A!Ew0q- > TZdEj0kCwTWc6y7GXVghSLhUVSnTuo_0rI_IF_tZc_pcRaY5buyw > > 9rsQDWRJ8M7wvSXlD14fCwQA9s$ > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://urldefense.com/v3/__https://list.mailop.org/listinfo/mailop__;!!CQl > 3mcHX2A!Ew0q- > TZdEj0kCwTWc6y7GXVghSLhUVSnTuo_0rI_IF_tZc_pcRaY5buyw9rsQDWRJ8M > 7wvSXlD14fCwQA9s$ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop