While working on mailway.app I experimented with routing emails based on SNI.
Let’s imagine a common email setup:
When someone sends an email to hello@sauleau.com, it needs to resolve the MX record and the A record to find the corresponding email server.
Traditionally, mx.sauleau.com would run on its dedicated email server and listen on port 25. To run a secure email server we have a TLS certificate stored on the server issued specifically for mx.sauleau.com.
The certificate is presented to anyone connecting to the IP and asking for a secure connection. Which implies that it’s not related to the hostname we used to resolve the IP (A record), more importantly, most clients will abort if the TLS certificate doesn’t match the hostname it attempted to connect to.
To address this issue we could use SNI since it appears earlier in the SMTP communication with the email server and allows to select a TLS certificate to present to the client, which would use the right hostname. However, not all email clients support sending the SNI.
| Name | Supports SNI? |
| Gmail | yes |
| Yahoo | no |
| AOL | no |
| ProtonMail | no |
| Outlook | yes |
| Mailgun | yes |
| Golang’s net/smtp | yes |