Re: Dane testing and posttls-finger ???

 1. MTAs should run their own caching resolvers, even if they forward
    to another caching resolver upstream (e.g. 8.8.8.8).

I used to run a local caching server, but ran into a problem when I first started using DNSSEC. To make life a little easier while sorting out the DNSSEC problems I got rid of it. reinstated as of today. using posttls-finger now produces expected results.

 2. If you are doing any RBL lookups, you must not make them via an
    upstream forwarder (avoid looking up RBLs via 8.8.8.8 and friends).

A little thought and this is obvious.

 3. If you want any security from DANE when sending outbound
    email to remote domains, you MUST use a local 127.0.0.1
    resolver that validates DNSSEC record signatures for itself.

done, but why?

    If you're not using 'smtp_tls_security_level = dane', then
    the local resolver is not essential for security, but is still
    a good idea.