> On Mar 6, 2017, at 3:12 PM, Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote: > > Again, you are mistaken. I think you meant to say, that you disagree, at least in general, but that your experience in the SMTP space is more limited, so I might be right in the SMTP case. > Security Policy can benefit from DNSSEC but it absolutely does not require DNSSEC > to provide value. This is not true for SMTP, which is vulnerable to downgrade attacks if the security policy is not made tamper-resistant. > Since the current Internet security policy is to require no security, any policy > publication mechanism adds value over the baseline. Yes, against passive attacks, but STARTTLS is already sufficient for that. -- Viktor.