Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Which SMTP SaaS Supports DANE?
2 points by unilynx on Aug 26, 2022 | hide | past | favorite | 4 comments
There are plenty of SMTP providers out there ... AWS SES, Postmark, Sendgrid...

But is there any provider out there which supports DANE on outgoing email, ie. enforcing STARTTLS if the recipient domain requests so ?

(It seems governments and domain name registries love talking about DANE, but few actual email providers care to implement it)



The major mail providers got together and standardized MTA-STS, because none of them are DNSSEC-signing their normal zones, because DNSSEC is (1) not very good and (2) has an annoying tendency of screwing up and taking whole zones off the Internet for hours at a time.


What makes you think a particular provider supports or doesn't support DANE?

Have you tested with a target SMTP server that is:

a. Properly configured for DANE

b. Misconfigured (eg. TLSA record conflicts what the server requires for TLS) to simulate MITM attack

c. Unconfigured to simulate downgrade attack

In essence, it seems simple enough that I would expect all larger providers to respect DANE, so I am curious what makes you think they aren't?


I was actually looking for a test site that could do that, like we have dnssec-failed.org - saves me setting up the target servers themselves

DANE requires a provider to validate DNSSEC. I know not all of them do that. DANE takes it even a step further, so I'm going to assume even fewer providers implement that

Microsoft specifically announced it last februari for Exchange Online (not really a SMTP SaaS like eg. send grid) so it's special enough that it's worthy of an announcement - https://techcommunity.microsoft.com/t5/exchange-team-blog/re...

I emailed postmark if they supported STARTTLS/DANE, they replied they supported opportunistic STARTTLS. Not an outright "No" but might be a failure to understand the questions

So plenty of reasons to not assume DANE is implemented unless a provider can actually confirm it is.


Yeah, it'd be great if there were test target SMTP servers with all useful configurations to test relay SMTP server behaviour in regards to DANE.

I am now definitely curious, though I can't promise I'll find the time to set up the servers either.

DANE on top of DNSSEC is merely a policy (retry rules and no fallback to unencrypted comms), so it is relatively simple to implement — though you are right that this doesn't mean it is!

I think adding gmail as the largest email provider to your list of mail services to check is also useful.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: