After the last major update to the site, I noticed that the new Email Aliases page contains a Criteria section that is currently empty. Before the aforementioned update, most of the content in the Email Aliasing page was housed in the Email Services page, so the recommended aliasing services probably (?) shared some criteria with the recommended email services.
So SimpleLogin doesn’t meet security criteria.
Half the domains don’t use DNSSEC, and the MTA-STS policy is not set to “enforce”.
There’s no certificate protection with CAA either.
All a provider’s domains should have the same level.
All addy domains are configured correctly, except for one, the TLD doesn’t support DNSSEC.
The criteria also mention Expect-CT, but this was deprecated by google in 2022. Shouldn’t it be removed?
Yes they should. This is a bit annoying. I am sure when we evaluated it they were.
At the time it was looking at being current, but yes doesn’t look important anymore. We should change that to simply that the provider should support Certificate Transparency as default.
It’s possible that the configuration was fine before, but now it seems like it’s been at least two years since DNSSEC has been absent from some domains.