> > Not clear. SMTP can relay a single copy of a message to multiple > > recipients at multiple domains. Your suggestion would force a > > separate TLS session, or a separate SMTP session, for every distinct > > recipient domain. > > Yes, that's true, but that's inherent in the "one certificate" > model. Not quite inherent -- if you verify against a SubjectAltName dNSName you can decide the certificate is valid for many domains. > Like I said earlier, if you want to have some set of > certificates vouching for MX records, then you want DNSSEC. But I agree with this.