On Fri, Feb 20, 2026 at 03:32:47PM +0100, Benoît Panizzon via mailop wrote:
> Receiving end is Postfix with an Let's encrypt wildcard cert. As far
> the cert looks valid, the chain looks ok.
This is not the first time on this list that I've had to remind email
server operators that DANE TLSA records are not a fashion statement, and
require timely monitoring:
https://stats.dnssec-tools.org/explore/?woody.ch
Microsoft supports DANE outbound. If you don't look after your DANE
TLSA records, you'll start losing email.
> Only emails sent from outlook customer are affected.
Well, not only, but that's the only one you've noticed.
> Anyone else observing that issue and having an idea what the cause
> could be?
Sadly, negligence on your part:
* The MX host's TLSA record:
_25._tcp.mail.woody.ch TLSA 3 1 1
28597ef561de0b49632ab42099938bbeb085607ce151abeb139cd195c0f52382 ; 2026-02-02 -
present
* The MX host's public key digest:
mail.woody.ch
5ccbd2341dfc1a2baa665a5c377050f0c3769e6f8a4b6af8f2108bfe99922475 ; 2026-02-02 -
present
One of these is not like the other. The public is matched by a previous
TLSA record, that hasn't been seen since mid December.
_25._tcp.mail.woody.ch TLSA 3 1 1
5ccbd2341dfc1a2baa665a5c377050f0c3769e6f8a4b6af8f2108bfe99922475 ; 2025-12-04 -
2025-12-14
I am curious why you've chosen to not monitor your TLSA records, any
insight would be appreciated...
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
