I was actually looking for a test site that could do that, like we have dnssec-failed.org - saves me setting up the target servers themselves
DANE requires a provider to validate DNSSEC. I know not all of them do that. DANE takes it even a step further, so I'm going to assume even fewer providers implement that
I emailed postmark if they supported STARTTLS/DANE, they replied they supported opportunistic STARTTLS. Not an outright "No" but might be a failure to understand the questions
So plenty of reasons to not assume DANE is implemented unless a provider can actually confirm it is.
Yeah, it'd be great if there were test target SMTP servers with all useful configurations to test relay SMTP server behaviour in regards to DANE.
I am now definitely curious, though I can't promise I'll find the time to set up the servers either.
DANE on top of DNSSEC is merely a policy (retry rules and no fallback to unencrypted comms), so it is relatively simple to implement — though you are right that this doesn't mean it is!
I think adding gmail as the largest email provider to your list of mail services to check is also useful.
Have you tested with a target SMTP server that is:
a. Properly configured for DANE
b. Misconfigured (eg. TLSA record conflicts what the server requires for TLS) to simulate MITM attack
c. Unconfigured to simulate downgrade attack
In essence, it seems simple enough that I would expect all larger providers to respect DANE, so I am curious what makes you think they aren't?