We’re excited to announce that Gmail will become the first major email provider to follow the new SMTP MTA Strict Transport Security (MTA-STS) RFC 8461 and SMTP TLS Reporting RFC 8460 internet standards. Those new email security standards are the result of three years of collaboration within IETF, with contributions from Google and other large email providers.
Google hopes other email services will also adopt these new security standards.
It seems to boil down to using publicly trusted (i.e., signed by a certificate authority) certificates for the TLS connection, and a policy that has to be published over HTTPS on a well-known URL: https://mta-sts.DOMAIN_TO_PROTECT/.well-known/mta-sts.txt .
(I think it’s rather ugly that the policy is to be retrieved over HTTPS, but I assume that is to make sure that a ubiquitously deployed authenticated protocol is used, as opposed to DNSSEC, which seems still not supported by all DNS providers.)
It seems that at least the developers of Exim have no intention of adding support for this:
The mentioned arguments seem to be valid: Rather than having to trust all certificate authorities, it would be more logical to let the domain specify exactly what to trust using DANE (which requires DNSSEC to be useful, whose non-ubiquity I assume is the reason for MTA-STS to exist) Trust Anchor Assertion (DANE-TA) or Domain issued certificate (DANE-EE):
Made me learn a bit more about security options for email, nice :-).