>DANE is an algorithm for the *sender* to look up information about the >*recipient*'s mailbox in the DNS, which means that the whole experiment >depends on the sender (who has no idea of what or where the recipient >is) being able to construct exactly the same hash that is generated by >the recipient - incompatible with the two pieces of advice I have >abstracted out above. You know, this is a self-inflicted wound. Had they asked people in the e-mail community while designing this hack whether it is a good idea to map mailbox names into the DNS, the unanimous response would be that it never has worked in the past, and it's not going to work any better now. There are perfectly reasonable ways to do DANE-secured lookups of mailbox keys. A simple one would be a per-domain SRV or URI record that points at an RFC 4387 key server, with its certs secured by TLSA. It's just as secure, just as DANE-ful, and has none of the semantics and scaling problems of trying to shove mailbox keys into the DNS. Its realistic security is better, since the mailbox names don't get relayed through DNS caches of unknown snoopiness. The endless debate about upper/lower case, and the continuing failure to address the much greater actual range of mailbox semantics problems should tell us to back up and look for something that really works. R's, John