>In any case, absent DNSSEC validated SRV records, there is no good >way to deploy transport security for *hosted* submission and imap >services without users manually selecting the underlying provider >hostnames as the service endpoint. Yup. We're exactly where we are now, he said tautologically. >With DNSSEC validated SRV records, one may as well use DANE. That >said, DNSSEC is as yet not a ubiquitous viable option for mobile >clients, we need many years of upgrades of public WiFi networks >before one might be able to expect DNSSEC signed SRV records to >reach one's mobile device. I wouldn't disagree, but I also don't see anything on the horizon better than SRV+DNSSEC. It's an architectural fact that mail servers host lots of domains, and that server configuration has historically been pretty casual. R's, John