On Mon, Oct 13, 2025 at 07:29:50AM +0200, Marco Moock via mailop wrote:
> > Therefore, in the context of MTA-to-MTA (port 25) email relayng, a
> > client certificate could perhaps be used as a lookup key for client
> > reputation, that could be more robust than an IP address. And the
> > DANCE working group client id draft:
>
> For which use case?
For more effective than source IP *positive* (or at least neutral)
reputation, for client IDs that have a history of non-spam traffic. A
sending domain's SPF (or similar) records might then list domains whose
client SMTP TLSA records are expected to be some of the primary sources
of mail from the domain.
> A spammer might just get various certificates for different host names
> via letsencrypt. Certain MTAs also have self-signed certs.
I am not suggesting that mere possession of a client certificate would
have any effect. The domain at which the associated TLSA records is
published might however have at least a neutral (or ideally a positive)
reputation.
> Rejecting because of that will cause many issues.
I don't see client certificate names or associated TLSA domains this as
a vehicle to reject much traffic, rather much more a way to reduce false
positives, and also perhaps more trustworthy forensic traces when the
client domain is known with more confidence.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
