Our project account posted a thread about our recent migration of our mail server to using our ASN and IP space. They replied to the thread by attacking Postfix, DNSSEC and DANE. They promoted the insecure MTA-STS approach promoted by Google despite them not fully adopting it for Gmail similarly to how they don't even use an enforcing DMARC policy despite punishing others for not doing it. We explained Domain Validation depends on DNS security. We also explained MTS-STS isn't the same as browser WebPKI due to an insecure bootstrapping and refreshing system along with lack of mandatory Certificate Transparency. We talked about Google's anti-competitive practices when it comes to email. Here's the thread, read it for yourself:

https://x.com/Avamander/status/2025719336552284161

The fact is that if you use the org TLD then you trust whoever runs it to issue certificates for your website and the same for your domain registrar. There's no point in pretending otherwise. It's very clearly how the system works. WebPKI does not truly add value over a TLSA record and DNSSEC beyond Certificate Transparency which is reactive and is NOT part of MTA-STS. MTA-STS also doesn't have mandatory encryption but rather opportunistic and can be stopped from using it. Gmail, the service which MTA-STS was created to be used with, has 1 day max-age for it.

Gmail has a lot of quite blatant security weaknesses and phishing weaknesses. People largely repeat the mantra of it being secure because Google account login security is decent including an option to make it harder to hijack accounts via customer support missing elsewhere.

Not really interested in a debate about it where someone repeats talking points often visible here and gets angry with us for not agreeing including getting angry because people like our replies.

https://x.com/Avamander/status/2025719336552284161