It appears that Michael Thomas via NANOG <[email protected]> said: > >On 5/18/25 4:09 PM, Randy Bush via NANOG wrote: >>> I think that most contemporary MTAs use some form of (weak) >>> authenticated identity. The most common that I see is reverse DNS >>> with forward DNS confirmation. A less common form of (client) >>> authentication is username & password. >> DANE > >DKIM, actually.
No, really DANE. If you publish TLSA records for your mail server's certs, and you screw up and the TLSA doesn't match the cert, mail clients that do DANE, such as Comcast's, won't send you mail. That's pretty strong. MTA-STS does the same thing more kludgily for people who don't like DNSSEC. R's, John PS: You can guess how I learned about that. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/M4IZ5A3BQOE2J2HOF7U3XFZVR6KZZQ2W/
