> On Mar 6, 2017, at 4:40 PM, Gary E. Miller <gem@xxxxxxxxxx> wrote: > >> This is not true for SMTP, which is vulnerable to downgrade attacks >> if the security policy is not made tamper-resistant. > > Please do not make the best the enemy of the merely better. Often a > little better is good enough for now. No need to convince me, see RFC7435. That said, the current STARTTLS is quite sufficient for best-effort security and is quite effective at that: https://www.google.com/transparencyreport/saferemail/ Roughly 84% of email to/from gmail is TLS protected, which beats the recent milestone (IIRC reported from Mozilla HTTP telemetry) of 50% of web traffic using TLS. The goal of DANE TLS for SMTP is to opportunistically provide downgrade resistance for TLS to domains that deploy DANE TLSA records for SMTP. It is up to each domain whether to publish TLSA records for SMTP or not. If they do, MTA-to-MTA SMTP from a DANE-enabled MTA to the destination becomes downgrade-resistant and authenticated. Notable early adopters in include gmx.de, web.de, posteo.de, mailbox.org, transip.nl, domeneshop.no, comcast.net, ... -- Viktor.