This is an excellent proposal, thanks for writing it. While the draft recommends verification certificate according to RFC7817, neither this nor that doc make any mention of other developments in such validations, particularly with respect to OCSP (RFC6066 & the must-staple flag in RFC7633) and CAA DNS records for CA verification (RFC6844). I have recently run into exactly this issue with mail servers and certificates with such security features, and I see no reason why these enhancements should not also be at least recommended for mail servers too. Is that reasonable? Marcus -- Marcus Bointon Technical Director, Synchromedia Limited Creators of https://info.smartmessages.net/ UK 1CRM solutions https://www.syniah.com/ marcus@xxxxxxxxxxxxxxxxxx | https://www.synchromedia.co.uk/