Do I need an SSL certificate for mail exchange (MX) for a .DEV TLD? Couldn't find this online so I'm asking here. I know that it enforces HTTPS and HSTS.
Asked
Active
Viewed 2,780 times
4
-
You don't need one, but you should have one, deploying MTA-STS would also be recommended. – Avamander May 13 '23 at 11:59
1 Answers
10
No, or not necessarily.
.dev like all new Google TLDs (including .new in one month) has been added to the HSTS Preloading list. It means that all names under this TLD will force browsers (because they incorporate the HSTS preloading list) to do only HTTPS calls, and never HTTP one. You can find Google explanations at https://security.googleblog.com/2017/09/broadening-hsts-to-secure-more-of-web.html
But this apply only to the web. All other uses (email, ftp, etc.) is free to do whatever it wants.
Now, it is better to also secure your SMTP infrastructure (if you manage it yourself) and hence use SMTP over TLS, and you can go even the extra mile using DANE.
But if you don't, it will work (unsecured of course). Nothing that the registry did to add .dev to the HSTS preloading list can influence that.
PS: I take the opportunity to of course repeat that it is a bad idea to name internal resources under a fake .dev TLD, one has instead to register a proper .dev domain name (or any other TLD for that matter) and then use it as suffix for all internal naming needs.
Patrick Mevzek
- 9,921
- 7
- 32
- 43