Pinning TLS certificates
Many SMTP servers (MX gateways) already offer the option of enabling TLS, the same form of security as used in HTTPS for the web. Delivering mail systems can then use the StartTLS command to upgrade their TCP connections to TLS. Unfortunately, clients are not obliged to cooperate, and a man-in-the-middle can easily hide a server's StartTLS capability from a client (a 'downgrade attack'). Consequently, StartTLS is not a complete solution.
Support for DANE validation
A lot of MTA software can now be configured to go through a DANE validation procedure before delivering mail to an MX gateway. Programs that support DANE validation include:
- IndiMail (qmail)
- Cisco AsyncOS for Email Security Appliances
- Cloudmark Security Platform for Email
- Halon [1, 2]
Use increasing rapidly
STARTTLS and DANE for incoming mail were added to the 'use-or-explain' list back in 2015. However, mandatory DANE validation wasn't introduced at the same time because not enough software supported the technology.
Now the use of DANE for mail is increasing rapidly [1, 2]. According to SIDN Labs' TLSA statistics, cryptographic anchoring of TLS certificates on MX gateways in the .nl zone has roughly doubled in the last six months. The implementation of DANE by One.com, which manages a considerable number of .nl domains, has been an important contributor to that trend. TransIP configured DANE for its domains some time ago.
More recently, the registry for Sweden's .se country-code domain introduced a financial incentive scheme to promote the use of DANE. We may well consider following suit in due course. Our experience with DNSSEC (signing) shows that incentivisation can be very effective in promoting adoption. Details of SIDN's current incentive schemes for registrars are given in section 7 of our earlier IPv6 inventory.