Re: We're the only one...
So you mean in HTTPS if foo.com is a CNAME for bar.com a bar.com certificate is valid for foo.com?
No. We're not talking about HTTPS. We're talking about SMTP.
Moreover, you can't be sure the domain owner trusted that server, how could you know from the MX result alone?
If the MX record for one domain says to use the MTA for another, then you have an explicit, stated trust relationship. If, as a domain owner, you don't trust the domain's MTA, don't use it.
Face it, SMTP security is broken
It isn't. It just needs more widespread adoption of the security measures in place. At present, hardly any are actually used, yet we still get encryption.
it needs a new RFC
So go and write one. And get others to adopt it.
In the meantime, leave the rest of us to get on with improving things to make the most of what we've got.
Vic.
Biting the hand that feeds IT
