an… …c@e.email
2/16/2025 6:22:57 PM - Server at DBAPR05MB6856.eurprd05.prod.outlook.com returned ‘550 5.7.323 tlsa-invalid: The domain failed DANE validation(450 4.7.323 tlsa-invalid: The domain failed DANE validation)’
2/16/2025 6:12:55 PM - Server at e.email (95.217.246.96) returned ‘450 4.7.323 tlsa-invalid: The domain failed DANE validation [Message=450 4.7.323 tlsa-invalid: The domain failed DANE validation] [LastAttemptedServerName=e.email] [LastAttemptedIP=95.217.246.96:25] [SmtpSecurity=11;0] [VI1EUR03FT005.eop-EUR03.prod.protection.outlook.com 2025-02-16T18:12:57.510Z 08DD4E33138A5CC9](450 4.7.323 tlsa-invalid: The domain failed DANE validation)’
as this is from a week ago (“2/16/2025”), can you try again from outlook? if it occurs again I’d send it to postmaster@e.email
if I check by hand or web it seems fine. Spec (frankly haven’t read the full of it but references) says validation needs to occur on the MX of e.email, this chain looks alright:
by hand
~$ dig -t tlsa _25._tcp.mail.ecloud.global
_25._tcp.mail.ecloud.global. 10800 IN CNAME _dane.ecloud.global.
_dane.ecloud.global. 145 IN TLSA 2 1 1 6DDAC18698F7F1F7E1C69B9BCE420D974AC6F94CA8B2C761701623F9 9C767DC7
~$ openssl s_client -starttls smtp -connect mail.ecloud.global:25 -dane_tlsa_domain "mail.ecloud.global" -dane_tlsa_rrdata "2 1 1 6DDAC18698F7F1F7E1C69B9BCE420D974AC6F94CA8B2C761701623F99C767DC7"
Verification: OK
Verified peername: mail.ecloud.global
DANE TLSA 2 1 1 ...a8b2c761701623f99c767dc7 matched the TA certificate at depth 1
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
...
Verify return code: 0 (ok)
Now I see a TLSA record on e.email too… but again, it’s the MX TLSA that matters. Though with dnssec trust chains… maybe something breaks inbetween I’m not familiar with