- 2018-10-22 DANE, sendmail, openssl, TLSv1.3
- 2016-12-12 DANE - the killer app for DNSSEC
2018-10-22 DANE, sendmail, openssl, TLSv1.3
Introduction
See my earlier entry for reasons to use DANE. The German Federal Office for Information Security recently published their requirements for secure transport of email. NIST recently published a document on email security, which advocates the use of DANE. The following organizations now publish TLSA records for their mail servers:
a21an.org 3 1 1 aanbodpagina.nl 3 0 1 alerts.comcast.net 3 0 1 allard.it 3 0 1 aminor.no 3 1 1 anubisnetworks.com 3 1 1 apnic.net 3 1 1 arminpech.de 2 1 1 artcom.de 3 1 1 augustin.pl 3 1 1 backschues.de 3 1 1 bakker.net 1 0 1 bayern.de 3 0 1 beerstra.org 3 1 2 bk-mail.com 3 0 1 bmwl.co 3 1 1 bogus.com 3 1 1 bund.de 3 0 1 byington.org 3 0 1 calcite.rhyolite.com 3 1 1 cesnet.cz 2 0 1 chaos1.de 3 0 1 cip.cs.fau.de 3 1 1 cip.cs.fau.de 3 1 2 comcast.net 3 1 1 consultant.com 3 1 1 crossivity.com 3 0 1 cs.fau.de 3 1 1 cs.fau.de 3 1 2 cybergal.com 3 1 1 debian.org 3 1 1 defcon.org 3 1 1 dekkers.ch 3 0 1 dk-hostmaster.dk 3 0 1 dns-oarc.net 3 0 1 dukhovni.org 3 1 1 earthling.net 3 1 1 edup.tudelft.nl 2 1 1 edup.tudelft.nl 3 1 1 email.com 3 1 1 esmtp.org 3 1 1 ethgen.de 3 0 1 fire.lp0.eu 3 1 2 five-ten-sg.com 3 0 1 freebsd.org 3 1 1 freenet.de 3 1 1 frm2.tu-muenchen.de 3 1 1 gallische-dorp.net 3 0 1 giesen.me 3 1 2 gluping.no 3 1 1 gmx.at 3 1 1 gmx.ch 3 1 1 gmx.com 3 1 1 gmx.co.uk 3 1 1 gmx.de 3 1 1 gmx.it 3 1 1 gmx.net 3 1 1 gmxpro.net 3 1 1 gmx-topmail.de 3 1 1 gmx.us 3 1 1 gohost.cz 3 1 1 gozmail.net 3 1 2 gtaylor.tnetconsulting.net 3 1 1 hansenpartnership.com 3 1 1 hauke-m.de 3 1 1 heikorichter.name 3 0 1 heinlein-support.de 3 1 1 horde.net 3 0 1 ietf.org 3 1 1 iki.fi 2 0 1 iname.com 3 1 1 incertum.net 2 1 1 informatik.uni-erlangen.de 3 1 1 informatik.uni-erlangen.de 3 1 2 infracaninophile.co.uk 3 1 1 intershop.de 3 0 2 isc.org 3 0 1 iwmail.com 3 1 1 jasperalblas.nl 3 0 1 jauu.net 3 1 1 jhcloos.com 3 1 1 johani.org 3 1 1 jpbe.de 3 1 1 jpberlin.de 3 0 1 jpberlin.de 3 1 1 kabelmail.de 3 0 1 kania-online.de 3 1 1 karotte.org 3 1 1 keemail.me 3 0 1 killian.com 3 0 1 klam.ca 3 1 1 kolabsys.com 3 0 1 lavabit.com 3 0 1 leonweber.de 3 0 1 leuxner.net 3 1 1 lists.grepular.com 2 1 1 lists.isc.org 3 0 1 lists.microscopium.de 3 0 1 lists.samba.org 2 1 1 lists.samba.org 3 0 1 lothlorien.ca 3 1 1 lrz.de 3 1 1 mailbox.org 3 1 1 mail.com 3 1 1 mail.de 3 1 1 mail.org 3 1 1 mgm51.com 3 1 1 microscopium.de 3 0 1 mindless.com 3 1 1 mkbbelangen.nl 3 0 1 ml.karotte.org 3 1 1 monksofcool.net 2 1 1 mork.no 3 1 1 mortis.eu 3 1 1 mykolab.com 3 0 1 nerd-residenz.de 3 1 1 netassist.ua 3 0 1 netbsd.org 3 1 1 netherlabs.nl 3 1 2 nic.br 3 1 1 nic.cz 3 1 1 nic.fr 3 0 1 nikhef.nl 2 1 1 nikhef.nl 3 1 1 nlnetlabs.nl 3 1 1 noordervliet.net 2 1 1 null.net 3 1 1 offerman.com 3 0 1 open.ch 2 1 1 open.ch 3 1 1 openssl.org 3 1 1 open-xchange.com 3 0 1 pahem.de 3 1 1 posix.co.za 3 1 1 posteo.de 3 1 1 posteo.se 3 1 1 powerdns.com 3 1 1 powerdns.com 3 1 2 prime.gushi.org 3 0 1 programmer.net 3 1 1 psg.com 3 1 1 quux.de 2 0 2 registro.br 3 1 1 rellim.com 3 1 1 rhrk.uni-kl.de 3 0 1 rhyolite.com 3 1 1 roeckx.be 3 1 1 rshell.org 3 1 1 rtp-net.org 3 1 2 rub.de 3 0 1 samba.org 2 1 1 samba.org 3 0 1 sandwich.net 3 1 1 schildbach.de 3 1 1 semperen.com 3 1 1 sidn.nl 3 1 1 sigma-chemnitz.de 2 0 1 smart.ms 3 1 1 sotecware.net 3 0 1 spodhuis.org 2 0 1 ssd.axu.tm 2 0 1 sticht.net 3 0 1 strotmann.de 2 1 1 swm.pp.se 3 0 1 swordarmor.fr 3 1 2 sys4.de 3 1 1 t-2.com 3 0 1 t-2.net 3 0 1 t3i.nl 3 0 1 techie.com 3 1 1 tecnico.ulisboa.pt 3 1 1 tecnico.ulisboa.pt 3 1 2 th-k.net 3 0 1 tnetconsulting.net 3 1 1 toke.dk 3 1 1 torproject.org 3 1 1 trashmail.com 3 0 2 trouble.is 3 1 1 tum.de 3 1 1 tuta.io 3 0 1 tutanota.com 3 0 1 u-1.phicoh.com 3 1 1 unitybox.de 3 1 1 unitymedia.de 3 0 1 usa.com 3 1 1 vulnscan.org 2 1 1 web.de 3 1 1 wheres5.com 3 1 2 wizmail.org 2 0 1 wk-serv.de 3 0 1 xs4all.net 3 1 1 xs4all.nl 3 1 1 z0z0.tk 3 1 2
Source code
Starting with openssl-1.1.1.tar.gz, we produce a Centos rpm openssl11-1.1.1-1.el6.src.rpm. This openssl11 version installs in /usr/local, so it does not conflict with the stock Centos version in /usr. This version enables TLSv1.3.
Starting with sendmail.8.16.0.29 snapshot, and adding my DANE patch we produce sendmail-8.16.0-7.el6.src.rpm. That rpm depends on the openssl11 rpm above. The original sendmail snapshot included partial support for DANE-EE (3-1-1) records. This patch updates that with the DANE code in openssl which supports all the DANE types. This rpm is built with -D_FFR_TLSA_DANE2 to use the DANE code from openssl. You can install the patch into a sendmail source tree, and build with -D_FFR_TLSA_DANE to get the original snapshot partial DANE support.
Centos code
These rpms can be built on Centos6, or Centos7 with "rpmbuild --rebuild --define 'dist .el7' ..."
openssl11-1.1.1-1.el6.src.rpm
sendmail-8.16.0-7.el6.src.rpm
sendmail-8.16.0-dane.patch
On Centos, the stock sendmail requires openldap. On Centos6, openldap requires libssl3, but does not require libssl. However, on Centos7, openldap requires both libssl3 and libssl. That leads to a shared library conflict, where sendmail directly requires libssl.so.11, and indirectly via openldap requires libssl.so.10. This sendmail source rpm builds sendmail without ldap to avoid that conflict.
OpenSSL 1.1.1 will try to use TLSv1.3, but it may end up sending a very large SSL client HELLO message if you have a large CACertFile. Check your sendmail.cf settings for
O CACertFile O CACertPath
CACertFile should only contain a few CA certificates, including the one that signed your ServerCertFile. CACertPath should point to a directory containing the certificates, one per file, of the CAs that you want to trust. If your config looks like
O CACertFile=/etc/pki/tls/certs/ca-bundle.crt O CACertPath=/etc/pki/tls/certs
you need to split that bundle into separate files, possibly using something like
cd /etc/pki/tls/certs
rm -f root.ca.cert* *.0
csplit -n 4 -k -f root.ca.cert. ca-bundle.crt '/END CERTIFICATE/+1' '{*}'
for fn in root.ca.cert*; do
[ -s "$fn" ] && ln -s $fn $(openssl x509 -noout -hash < $fn).0
done
and then change the config to something like
O CACertFile=/etc/pki/tls/certs/one-ca-certificate.pem O CACertPath=/etc/pki/tls/certs
DANE usage in sendmail
First, ensure that your sendmail installation is talking to a trusted validating recursive resolver. One way to achieve this is to run Bind and sendmail on the same machine, and point /etc/resolv.conf to localhost, and of course configure Bind with:
options {
dnssec-enable yes;
dnssec-validation auto;
}
Add the following to your /etc/mail/sendmail.mc and rebuild sendmail.cf:
LOCAL_CONFIG O DANE=always
The DANE option can be one of (true, false, always); the default is false. If DANE=True, sendmail only uses TLSA records that are secured by DNSSEC. If DANE=always, sendmail uses all TLSA records, including those found as a result of insecure MX, CNAME, or TLSA responses.
dig isc.org mx +short 10 mx.pao1.isc.org. 20 mx.ams1.isc.org. dig _25._tcp.mx.ams1.isc.org. tlsa +short 3 0 1 5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916
Test cases that work
- Two MX records, both with usable TLSA records, and both servers
advertise starttls. The primary MX server key does not match the TLSA
record. Mail will be delivered (verify=TRUSTED) to the secondary MX.
test1 IN MX 10 test1a IN MX 20 test1b test1a A 69.167.152.113 test1b A 38.64.93.21 _25._tcp.test1a TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4 _25._tcp.test1b TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- One MX record with a usable TLSA record, and the server advertises
starttls. The server key does not match the TLSA record. Mail will
bounce (403 4.7.0 DANE check failed).
test2 IN MX 10 test2a test2a A 69.167.152.113 _25._tcp.test2a TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Two MX records, both with usable TLSA records, but the primary MX
does not advertise starttls. Mail will be delivered (verify=TRUSTED) to the secondary
MX.
test3 IN MX 10 test3a IN MX 20 test3b test3a A 69.167.152.152 test3b A 38.64.93.21 _25._tcp.test3a TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4 _25._tcp.test3b TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4 - One MX record with a usable TLSA record, but the server does not
advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
test4 IN MX 10 test4a test4a A 69.167.152.152 _25._tcp.test4a TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- One MX record with an unusable (usage not 2 or 3) TLSA record. The
server advertises starttls. Mail will be delivered (verify=FAIL) unauthenticated.
test5 IN MX 10 test5a test5a A 38.64.93.21 _25._tcp.test5a TLSA 1 0 2 437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63
- One MX record with an unusable (usage not 2 or 3) TLSA record. The
server does not advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
test6 IN MX 10 test6a test6a A 69.167.152.152 _25._tcp.test6a TLSA 1 0 2 437A2A0C21D29C95FA036E982421EAE07FB180935C97D719AEDFAA5E 46FB64AE10C09266A0EC42E5D360785B5233B116F32868DDE7E81B2F BE6870D4B5781C63
- One MX record with an unusable (selector not 0 or 1) TLSA
record. The server advertises starttls. Mail will be delivered (verify=FAIL) unauthenticated.
test7 IN MX 10 test7a test7a A 38.64.93.21 _25._tcp.test7a TLSA 3 2 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- One MX record with an unusable (selector not 0 or 1) TLSA
record. The server does not advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
test8 IN MX 10 test8a test8a A 69.167.152.152 _25._tcp.test8a TLSA 3 2 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- One MX record with an unusable (match > 2) TLSA record. The server
advertises starttls. Mail will be delivered (verify=FAIL) unauthenticated.
test9 IN MX 10 test9a test9a A 38.64.93.21 _25._tcp.test9a TLSA 3 0 4 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- One MX record with an unusable (match > 2) TLSA record. The server
does not advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
test10 IN MX 10 test10a test10a A 69.167.152.152 _25._tcp.test10a TLSA 3 0 4 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- One MX record with an unusable (bad digest length) TLSA
record. The server advertises starttls. Mail will be delivered (verify=FAIL) unauthenticated.
test11 IN MX 10 test11a test11a A 38.64.93.21 _25._tcp.test11a TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb0
- One MX record with an unusable (bad digest length) TLSA
record. The server does not advertise starttls. Mail will bounce (403 4.7.0 server not authenticated).
test12 IN MX 10 test12a test12a A 69.167.152.152 _25._tcp.test12a TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb0
- Mail domain has a CNAME chain that ends with one MX record with a
usable TLSA record, and the server advertises starttls. The server key
matches the TLSA record. Mail will be delivered (verify=TRUSTED).
test13 IN CNAME test13a test13a IN MX 10 test13aa test13aa A 38.64.93.21 _25._tcp.test13aa TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Mail domain has a CNAME chain that ends with one MX record with a
usable TLSA record, and the server advertises starttls. The server key
does not match the TLSA record. Mail will bounce (403 4.7.0 DANE check failed).
test14 IN CNAME test14a test14a IN MX 10 test14aa test14aa A 38.64.93.21 _25._tcp.test14aa TLSA 3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Mail domain has a CNAME chain that ends with one MX record with a
usable TLSA record. The MX host has a CNAME chain that ends with an A
record (violating standards). The server advertises starttls. The
server key matches the TLSA record. Mail will be delivered (verify=TRUSTED).
test15 IN CNAME test15a test15a IN MX 10 test15aa test15aa IN CNAME test15aaa test15aaa IN CNAME test15aaaa test15aaaa A 38.64.93.21 _25._tcp.test15aa TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Mail domain has a CNAME chain that ends with one MX record with a
usable TLSA record. The MX host has a CNAME chain that ends with an A
record (violating standards). The server advertises starttls. The
server key does not match the TLSA record. Mail will bounce (403 4.7.0 DANE
check failed).
test16 IN CNAME test16a test16a IN MX 10 test16aa test16aa IN CNAME test16aaa test16aaa IN CNAME test16aaaa test16aaaa A 38.64.93.21 _25._tcp.test16aa TLSA 3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Mail domain has a CNAME chain that ends with one MX record. The
MX host has a CNAME chain that ends with an A record (violating
standards). The end of that chain has a usable TLSA record. The
server advertises starttls. The server key matches the TLSA
record. Mail will be delivered (verify=TRUSTED).
test17 IN CNAME test17a test17a IN MX 10 test17aa test17aa IN CNAME test17aaa test17aaa IN CNAME test17aaaa test17aaaa A 38.64.93.21 _25._tcp.test17aaaa TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Mail domain has a CNAME chain that ends with one MX record. The
MX host has a CNAME chain that ends with an A record (violating
standards). The end of that chain has a usable TLSA record. The
server advertises starttls. The server key does not match the TLSA
record. Mail will bounce (403 4.7.0 DANE check failed).
test18 IN CNAME test18a test18a IN MX 10 test18aa test18aa IN CNAME test18aaa test18aaa IN CNAME test18aaaa test18aaaa A 38.64.93.21 _25._tcp.test18aaaa TLSA 3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Mail domain has an MX record secured by DNSSEC. The MX host is in
an insecure domain with an A record. The query for TLSA records for
the MX host gets a timeout. Mail will be delivered (verify=FAIL)
unauthenticated to the MX host - we must not attempt delivery to the
test19 A record. The query for the TLSA record should be suppressed,
since the A record is in an insecure zone. But if the query is not
suppressed it will timeout, and that timeout must be ignored.
test19 IN MX 10 test19a.moretesting A 192.168.200.200 ; insecure zone moretesting test19a.moretesting A 38.64.93.21 _25._tcp.test19a.moretesting IN CNAME _25._tcp.test19aa.testing - Mail domain has an MX records secured by DNSSEC. The MX host has
an A record secured by DNSSEC. The query for TLSA records for the MX
host gets a timeout. Mail will bounce (403 4.7.0 DANE check failed).
We must not fallback and attempt delivery to the test20 A record.
test20 IN MX 10 test20a A 38.64.93.21 test20a A 38.64.93.21 _25._tcp.test20a IN CNAME _25._tcp.test20aa.testing - Mail domain has a CNAME chain that ends with one MX record. The
MX host has a CNAME chain that ends with an A record (violating
standards). Both ends of that chain have usable TLSA records. The
TLSA record at the start of the chain does not match the server key,
but should be ignored. The TLSA record at the end of the chain matches
the server key. The server advertises starttls. Mail will be
delivered (verify=TRUSTED).
test21 IN CNAME test21a test21a IN MX 10 test21aa test21aa IN CNAME test21aaa test21aaa IN CNAME test21aaaa test21aaaa A 38.64.93.21 _25._tcp.test21aaaa TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4 _25._tcp.test21aa TLSA 3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Mail domain has a CNAME chain that ends with one MX record. The
MX host has a CNAME chain that ends with an A record (violating
standards). Both ends of that chain have usable TLSA records. The
TLSA record at the start of the chain matches the server key, but
should be ignored. The TLSA record at the end of the chain does not
match the server key. The server advertises starttls. Mail will
bounce (403 4.7.0 DANE check failed).
test22 IN CNAME test22a test22a IN MX 10 test22aa test22aa IN CNAME test22aaa test22aaa IN CNAME test22aaaa test22aaaa A 38.64.93.21 _25._tcp.test22aaaa TLSA 3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4 _25._tcp.test22aa TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Mail domain has a CNAME chain that ends with one MX record. The
MX host has a CNAME chain that ends with an A record (violating
standards). Both ends of that chain have usable TLSA records. The
TLSA record at the start of the chain matches the server key. The
TLSA record at the end of the chain does not match the server key, but
should be ignored since the CNAME chain wanders thru an insecure zone.
The server advertises starttls. Mail will be delivered
(verify=TRUSTED).
test23 IN CNAME test23a test23a IN MX 10 test23aa test23aa IN CNAME test23aaa.moretesting ; -> test23aaa test23aaa IN CNAME test23aaaa test23aaaa A 38.64.93.21 _25._tcp.test23aaaa TLSA 3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4 _25._tcp.test23aa TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
- Mail domain has a CNAME chain that ends with one MX record. The
MX host has a CNAME chain that ends with an A record (violating
standards). Both ends of that chain have usable TLSA records. The
TLSA record at the start of the chain does not match the server key.
The TLSA record at the end of the chain matches the server key, but
should be ignored since the CNAME chain wanders thru an insecure zone.
The server advertises starttls. Mail will bounce (403 4.7.0 DANE check
failed).
test24 IN CNAME test24a test24a IN MX 10 test24aa test24aa IN CNAME test24aaa.moretesting ; -> test24aaa test24aaa IN CNAME test24aaaa test24aaaa A 38.64.93.21 _25._tcp.test24aaaa TLSA 3 0 1 30c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4 _25._tcp.test24aa TLSA 3 0 1 00c9c924329e4596feb3d2e34c93abb064086493d9d9ab7b3e77543a7a9574a4
Remaining issues
-
The order of callbacks in TLSv1.3 has changed from previous versions. This patch needs to be updated to operate with either the 1.2 or 1.3 order of callbacks.
-
Consider the case where the sendmail box is using a validating trusted resolver (perhaps on localhost) that is *also* an authoritative source (master or slave) for a DNSSEC secured zone. In the case of Bind 9, queries for that zone will not have the ad bit set, but will have the aa bit set. This patch considers the answers to be secure if either of those bits are set. This is similar to treating a locally configured MX record as authoritative and secure, via a mailer table entry:
example.com esmtp:[example-com01b.mail.protection.outlook.com]
-
If you include define(`TLS_PERM_ERR', 1) in sendmail.mc, the DANE checks can be a bit fragile. A timeout on the TLSA lookup for a locally configured MX record as above will cause an immediate 503 5.7.0 DANE check failure.
-
RFC 7672 specifies DANE usage for SMTP. This patch, with Dane=always, will enforce TLS to a domain that publishes TLSA records, but is insecure (does not publish DS records). There are other places where domain owners publish security keys via insecure DNS. Consider:
dig yahoo.com txt +short "v=spf1 redirect=_spf.mail.yahoo.com" dig _spf.mail.yahoo.com txt +short "v=spf1 ptr:yahoo.com ptr:yahoo.net ?all" dig s1024._domainkey.yahoo.com txt +short "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrEee0Ri4Juz+QfiWYui/E9UGSXau/2P8LjnTD8V4Unn+2FAZVGE3kL23bzeoULYv4PeleB3gfm" "JiDJOKU3Ns5L4KJAUUHjFwDebt0NP+sBK0VKeTATL2Yr/S3bT/xhy+1xtj4RkdV7fVxTn56Lb4udUnwuxK4V5b5PdOKj/+XcwIDAQAB; n=A 1024 bit key;" dig _dmarc.yahoo.com txt +short "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua@yahoo.com;"
Yahoo does not bother to secure their zone with DNSSEC, yet other mail receivers will use these unauthenticated indications from Yahoo as the basis for rejecting mail that seems to be from Yahoo. If Yahoo were to publish TLSA records for their mail servers, why should we not use those unauthenticated records to enforce TLS when sending mail to Yahoo?