>>>>> "Patrik" == Patrik Fältström <paf@xxxxxxxxxx> writes: >> On 25 feb 2015, at 19:56, Sam Hartman <hartmans-ietf@xxxxxxx> wrote: >> >> I disagree that SRV or MX introduces similar complexity into >> standards. Patrik> Sam, I feel I need to understand this. Patrik> For MX, you have to start with a URI like this: Patrik> mailto:paf@xxxxxxxxxx I'm sorry, I don't understand how a URI is involved in MX processing. I don't think any of the specs are written in terms of URIsand I find thinking of MX processing in terms of URIs to be confusing. For email, we've never really had wide-scale deployment of TLS that does certificate validation. Across the Internet, starttls tends to provide something similar to opportunistic security. Within an organization where specific certificates are being validated to specific anchors, I'd be mildly surprised if MX processing was a significant part of the configuration. I suspect there's not much uniformity about whether you check the queried domain or the resulting domain for the certificate, and I suspect that you'll probably need MTA-specific configuration to get cert validation to be particularly useful with SMTP. If I were writing an MTA, I'd expect the cert to match what went into the MX query, not what came out. However, I'd have a variety of configuration options all defaulting to not checking the certificate at all.