Verifying SMTP TLS with DANE

On october 2, 2018, I gave a talk at the OneConference (with co-presenter Patrick Koetter).


Here are the slides. Note that the numbers in the report are about the (number of damains seen in) month of September 2018, unless otherwise indicated.


In the presentation, I talk about "Implementation errors", without going into details. Turns out, the biggest implementation error was caused by ourselves: we accidentally had a firewall that filters UDP fragments. This breaks (a lot of) EDNS0 queries over UDP, especially queries where the answer doesn't fit a single UDP packet.

DANE monitoring scripts

At some point I will make the scripts available that I use to collect DANE failures from our log files. Since we use cloudmark gateway using home-grown DANE logging, these scripts will most likely not map to your use case without some modification, but it might be helpful.