After reading the MTA-STS drafts, and following the discussions, there's still a question that I do not fully understand.
Why using DNS to "announce" the use of MTA-STS but rely on HTTPS for publishing the policy? So far, the policy is not that complex. Wouldn't a DNS TXT record suffice in many cases? I understand that in some cases the policy may be longer, depending on how many MX records a domain may have. Fetching the policy from an HTTPS service could be an option for those who require longer policy descriptions. Another option for longer policies could be to add an 'include' parameter, like in SPF, therefore avoiding the need of another service (HTTPS) to deliver the policy. It may not simplify the work for the implementation of MTA-STS (fetching from HTTPS would still have to be implemented), but it would make it easier to deploy (I think). As example, the TXT records could look like: MTA-STS just DNS: _mta-sts.example.com IN TXT "v=STSv1; id=20173003110000Z; mode=enforce; mx=*.example.com; max_age=12345600" MTA-STS with DNS and HTTPS: _mta-sts.example.com IN TXT "v=STSv1; id=20173003110000Z; use=https" MTA-STS with DNS and 'include': _mta-sts.example.com IN TXT "v=STSv1; id=20173003110000Z; max_age=12345600 include=_mta-sts01,_mta-sts02;" _mta-sts01.example.com IN TXT "mx=mx1.example.com,mx2.example.com;" _mta-sts02.example.com IN TXT "mx=*.example1.com;" Gerard Draper Gil
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
