STARTTLS and DANE for outgoing mail mandatory for government organisations
At the end of 2018, the validation of DANE for outgoing mail was added to the Forum for Standardisation's 'use-or-explain' list. Addition to the list means that government and quasi-government organisations are more or less obliged to implement the standards.Together, TLS, StartTLS and DANE provide for a secure — i.e. cryptographically protected — connection for the transmission of e-mail messages. The three standards build on the existing infrastructure for DNSSEC, which has been on the 'use-or-explain' list for quite some time.
Pinning TLS certificates
Many SMTP servers (MX gateways) already offer the option of enabling TLS, the same form of security as used in HTTPS for the web. Delivering mail systems can then use the StartTLS command to upgrade their TCP connections to TLS. Unfortunately, clients are not obliged to cooperate, and a man-in-the-middle can easily hide a server's StartTLS capability from a client (a 'downgrade attack'). Consequently, StartTLS is not a complete solution.
Support for DANE validation
A lot of MTA software can now be configured to go through a DANE validation procedure before delivering mail to an MX gateway. Programs that support DANE validation include:
Use increasing rapidly
STARTTLS and DANE for incoming mail were added to the 'use-or-explain' list back in 2015. However, mandatory DANE validation wasn't introduced at the same time because not enough software supported the technology.
Now the use of DANE for mail is increasing rapidly [1, 2]. According to SIDN Labs' TLSA statistics, cryptographic anchoring of TLS certificates on MX gateways in the .nl zone has roughly doubled in the last six months. The implementation of DANE by One.com, which manages a considerable number of .nl domains, has been an important contributor to that trend. TransIP configured DANE for its domains some time ago.
More recently, the registry for Sweden's .se country-code domain introduced a financial incentive scheme to promote the use of DANE. We may well consider following suit in due course. Our experience with DNSSEC (signing) shows that incentivisation can be very effective in promoting adoption. Details of SIDN's current incentive schemes for registrars are given in section 7 of our earlier IPv6 inventory.