19 May
2025
19 May
'25
2:03 a.m.
It appears that Michael Thomas via NANOG <nanog@lists.nanog.org> said:
On 5/18/25 4:09 PM, Randy Bush via NANOG wrote:
I think that most contemporary MTAs use some form of (weak) authenticated identity. The most common that I see is reverse DNS with forward DNS confirmation. A less common form of (client) authentication is username & password. DANE
DKIM, actually.
No, really DANE. If you publish TLSA records for your mail server's certs, and you screw up and the TLSA doesn't match the cert, mail clients that do DANE, such as Comcast's, won't send you mail. That's pretty strong. MTA-STS does the same thing more kludgily for people who don't like DNSSEC. R's, John PS: You can guess how I learned about that.