- Enforce encrypted mail transport (TLS) between SMTP servers
- Protect against downgrade and attacker-in-the-middle attacks that would otherwise cause email to be sent unencrypted
- Publish security policies that tell other mail servers how to connect securely
- Work alongside TLS Reporting (TLS-RPT) to give visibility into delivery and policy enforcement issues
DANE depends on DNSSEC, which is ideal if DNSSEC is already deployed. If not, then MTA-STS may be easier to deploy and since it leverages the trust based on public PKI certificates.
Note that EOP supports both DANE and MTA-STS.
The relevant RFC articles for these standards are:
-
DANE (DNS-Based Authentication of Named Entities) for SMTP - RFC 7672
-
MTA-STS (SMTP MTA Strict Transport Security (MTA-STS) - RFC 8461
Ok - that's enough background, how to view the TLS-RPT record in DNS.
Interactive
In this interactive example we enter into nslookup and then set the query type to be txt.
nslookup.exe
set q=txt
_SMTP._TLS.tailspintoys.ca
Non-Interactive
For this example a single command is issued that will perfom the query directly from the cmd shell.
NSLookup.exe -q=txt _SMTP._TLS.Tailspintoys.ca
NB - Common Issues
Note that we need to specify the TXT option as that is the record type used for TLS reporting records.
The other thing that is different compared to looking up DMARC records is that there is an extra subdomain in the TLS reporting structure.
It is _SMTP._TLS.tailspintoys.ca
Cheers,
Rhoderick
I like the efforts you have put in this, regards for all the great content.