DNS
since most DNS requests are still unauthenticated (see the section on DANE above), an active attacker can still man-in-the-middle the initial DNS request and convince the sender that the recipient doesn’t support MTA-STS
That might be true, is in fact, I've spoken about it here and elsewhere a number of times but a unified solution is going to be messy. Personally I think there's a number of protocols we should be looking again at and the email ones especially are part of this - like how we guarantee jurisdiction if security services come with warrants - but you can't solve all of this in one go. You really have to let DNS security be DNS security and email security be email security and then pin mail server auth to dns. We've seen from PGP how messy solutions don't solve the problem. The problem is MITM from otherwise well configured servers.
Offer me the protocols and if I believe I need more secure email transport I'll use it.
Biting the hand that feeds IT
