DANE and TSLA in Cloudflare

Mail servers are notoriously careless with TLS certificates and will frequently and by default use whatever TLS certificate the recipient smtp server offers, without performing any checks whatsoever. (Because although bad security practice that does offer more transport security than sending the email in clear text) So my expectation for TLSA support and current uptake in mailservers is: not enough to be relevant (yet?)

mail servers also can not encrypt .zip and attachments too, so in old genration mail servers used to suppress zip with .exe files (including gmail ) and we used to change the extensions with .txt and we would able to send the .exe files too but nowadays google blocks such binaries too including js files. question is how? @Bob

The linked Cloudflare community discussion is 5 years old and no longer relevant. Cloudflare has since added TLSA records.

@Bob The mail servers are not "careless". A mail server is configured by administrators. The administrators usually have some reason for configuring the way that they configure. It is a relatively trivial configuration to require CA certificates on recipient servers. The reason this is not done is too many recipient servers are poorly configured, resulting in undeliverable mail. The same is true on on receiving mail, as many sending servers will not support encryption (my observation most commonly with lists and newsletters, likely saving on resource cost.)

@CADENTIC TLS encryption is only transport, so will encrypt everything. The filetype issues you are referring to are likely anti-mailware protection which prevents users from opening commonly infected filetypes.

attachment's encryptions are I guess mailserver specific. file filtrations are most likely anti-spam filtration eg. SpamAssassin. so user used to change the zip, exe into text and they would be able to send them out but nowadays Gmail outlook scan that too. not only the attachment's extensions. @paul pot is how did they do it?

Based on your comments to my answer below, you need to provide more details for your question to be answered, as currently whatever you are trying to accomplish and your current configurations are not adequately explained in this question.

I have enabled DNSSEC but can not figure out how can I add up DANE while our backend computes are behind a network load balancer in oracle cloud ( at always free tier)? @paul

You just need to create the TLSA record. [This tool](https://www.huque.com/bin/gen_tlsa) is one of the most straightforward, although it doesn't contain much explanation on what each option is for. You can create multiple records with different certificates. See [RFC 6698](https://datatracker.ietf.org/doc/html/rfc6698) and its updates for more information.

Cloudflare honor TLSA record if you keep them `DNS Only` neither it manages the key while Cloudflare (internal) CA changes it nor does it improve with it. so most likely it is not beneficial with Cloudflare. Cloudflare is benificial for `https` `hsts`.

DNSSEC i think is not mandatory for TLSA because within DNS management service within `OCI` you will have options for setting up DANE and TLSA

Read the Introduction to [RFC 7671](https://datatracker.ietf.org/doc/html/rfc7671#section-1). This entire thing is build on DNSSEC, so I really have no idea what you are talking about.

I sit in a Tesla and translated this thread with Ai: