From 3643e336b55c026207357bea927fe8559b979955 Mon Sep 17 00:00:00 2001
From: Dennis Baaten <dennis@baaten.com>
Date: Thu, 8 Aug 2019 12:21:39 +0200
Subject: [PATCH] Update DANE-for-SMTP-how-to.md

---
 DANE-for-SMTP-how-to.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/DANE-for-SMTP-how-to.md b/DANE-for-SMTP-how-to.md
index 40ed795..24ebedb 100644
--- a/DANE-for-SMTP-how-to.md
+++ b/DANE-for-SMTP-how-to.md
@@ -86,6 +86,8 @@ The illustration below shows what happens when an attacker performs a man in the
 The illustration below shows how the use of DANE can protect against man in the middle (MITM) attacks by addressing the shortcomings of TLS without DANE.
 ![](dane-example-1-with-dane.png)
 
+### Mail delivery: TLS with DANE without DNSSEC
+Although guaranteeing reliable DNS resolving is actually an advantage of DNSSEC, it is still worth mentioning here. Notice that in the example above (TLS with DANE) the lack of DNSSEC would make it possible for an attacker to alter DNS responses (2 and 4). Such an attack can be used to trick the sender into sending e-mail to a rogue e-mail server. 
 
 # Reliable certificate rollover
 It is a good practice to replace certificates and keys from time to time, but this need not and should not disrupt email delivery even briefly.