Skip to Content [alt-c]


In reply to Comment by Reader Charles

Andrew Ayer on 2014-08-14 at 16:28:

You raise yet another issue, which is checking certificates. I would guess that virtually no email provider checks certificates. The problem is that there's no way to know what the name on the certificate should be. Ideally it would match the domain of the email address you're sending to, but this is rarely the case because domains usually delegate their mail to servers under other domains using MX records. And without DNSSEC, the MX delegation is completely unauthenticated, making it pointless to check that the certificate name matches the name in the MX record.

For example,'s smallest-priority MX server is ``. The names on ``'s certificate are:,,,,,,,,,,,,,,,,,,, doesn't appear anywhere in that list. So even though the name of the MX server does appear in that list, since the MX record lookup was unauthenticated, a program has no way of knowing that `` is ``'s true MX server, and not a bogus server set up by an active attacker who can manipulate DNS.


Post a Reply

Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with > are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim (good for code).
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.