My objections to the draft would be alleviated if the abstract was changed to: This document describes an experimental TLS server identity verification procedure for SMTP Submission, IMAP, POP and ManageSieve clients that is appropriate for mail servers that host a small number of domains under a single administration. When used, it replaces Section 2.4 of RFC 2595, updates Section 4.1 of RFC 3207, updates Section 11.1 of RFC 3501, updates Section 2.2.1 of RFC 5804. Procedures that scale to servers that host a large number of domains are for further study. And in the security considerations section: Because of the lack of client identification of the target domain, the email server certificate described in this document has to contain the complete list of names that the client will be looking for. If RFC 6186 is in use, this means that the mail server certificate will hold a list of all domains served by this service. This reveals information about other customers of the service, which may not be a desirable result. Note that I'm OK with pushing this as *experimental*. Given the lack of general applicability, I'm not OK with pushing this for standards-track. Harald