While working on mailway.app I experimented with routing emails based on SNI.
Let’s imagine a common email setup:
sauleau.com
has a MX record that points to mx.sauleau.com
.mx.sauleau.com
has a A
record that points to an email server IP.When someone sends an email to [email protected]
, it needs to resolve the MX record and then the A record to find the corresponding email server.
Traditionally, mx.sauleau.com
would run on its dedicated email server and listen on the port 25.
To run a secure email server we have a TLS certificate stored on the server issued specificaly for mx.sauleau.com
.
The certificate is presented to anyone connecting to the IP and asking for a secure connection. Which implies that it’s not related to the hostname we used to resolve the IP (A record), more importantly, most most clients will abort if the TLS certificate doesn’t match the hostname it attempted to connect to.
To address this issue we could use SNI since it appears earlier in the communication with the server and allows to select a TLS certificate to present to the client, which would use the right hostname. However, not all email clients support sending the SNI.
Name | Support SNI? |
---|---|
Gmail | yes |
Yahoo | no |
AOL | no |
ProtonMail | no |
Outlook | yes |
Mailgun | yes |
Golang’s net/smtp | yes |
This list far from exhaustive, feel free to reach out if you want to try a specific email provider.