On 12 April 2018 at 03:23, Viktor Dukhovni wrote:
>
>
> > On Apr 11, 2018, at 6:52 PM, Dave Cridland wrote:
> >
> > Well, one assumes that an MTA gives out the policy for the MTA, not the
> domain, but otherwise I take your points. I don't think that
On Thu, Apr 12, 2018 at 10:27:25AM +0100, Dave Cridland wrote:
> > Unfortunately, per-MTA rather than per-domain policy entirely loses all
> > protection against active attacks when the MX RRset is not secure. The
> > MiTM just forges the MX RRset, yielding new hosts for which no policy
> > is