Ask HN: Which SMTP SaaS Supports DANE?
There are plenty of SMTP providers out there ... AWS SES, Postmark, Sendgrid...
But is there any provider out there which supports DANE on outgoing email, ie. enforcing STARTTLS if the recipient domain requests so ?
(It seems governments and domain name registries love talking about DANE, but few actual email providers care to implement it)
4 comments
[ 2.5 ms ] story [ 12.1 ms ] threadHave you tested with a target SMTP server that is:
a. Properly configured for DANE
b. Misconfigured (eg. TLSA record conflicts what the server requires for TLS) to simulate MITM attack
c. Unconfigured to simulate downgrade attack
In essence, it seems simple enough that I would expect all larger providers to respect DANE, so I am curious what makes you think they aren't?
DANE requires a provider to validate DNSSEC. I know not all of them do that. DANE takes it even a step further, so I'm going to assume even fewer providers implement that
Microsoft specifically announced it last februari for Exchange Online (not really a SMTP SaaS like eg. send grid) so it's special enough that it's worthy of an announcement - https://techcommunity.microsoft.com/t5/exchange-team-blog/re...
I emailed postmark if they supported STARTTLS/DANE, they replied they supported opportunistic STARTTLS. Not an outright "No" but might be a failure to understand the questions
So plenty of reasons to not assume DANE is implemented unless a provider can actually confirm it is.
I am now definitely curious, though I can't promise I'll find the time to set up the servers either.
DANE on top of DNSSEC is merely a policy (retry rules and no fallback to unencrypted comms), so it is relatively simple to implement — though you are right that this doesn't mean it is!
I think adding gmail as the largest email provider to your list of mail services to check is also useful.