> On Sep 26, 2018, at 2:57 AM, Bernhard Schmidt <be...@birkenwald.de> wrote:
>
> Large parts of the german universities now use the DFN MailSupport (=
> inbound mailrelaying and filtering by DFN). The MX records are in
> mx.srv.dfn.de, which is not signed (whole dfn.de is not signed). So you
> can have your own zone DNSSEC enabled, but not the one with the MX.
Good to know. Thanks.
> I heard they are working on this. This is also a blocker of our project
> to have DANE-secured SMTP transport for all bavarian universities.
I wish them luck (really sound planning and execution, luck has little to
do with it). I also hope that the plan includes securing the downstream
hop from the DFN gateway to the client institution, unless DFN is also
providing IMAP, Webmail, ...
--
Viktor.
