https://datatracker.ietf.org/doc/html/rfc8314#section-5.1 schrieb:
This document updates [RFC6186] by changing the preference rules and
adding a new SRV service label _submissions._tcp to refer to Message
Submission with Implicit TLS.
User-configurable MUAs SHOULD support the use of [RFC6186] for
account setup. However, when using configuration information
obtained via this method, MUAs SHOULD ignore advertised services that
do not satisfy minimum confidentiality requirements, unless the user
has explicitly requested reduced confidentiality. This will have the
effect of causing the MUA to default to ignoring advertised
configurations that do not support TLS, even when those advertised
configurations have a higher priority than other advertised
configurations.
When using configuration information per [RFC6186], MUAs SHOULD NOT
automatically establish new configurations that do not require TLS
for all servers, unless there are no advertised configurations using
TLS. If such a configuration is chosen, prior to attempting to
authenticate to the server or use the server for Message Submission,
the MUA SHOULD warn the user that traffic to that server will not be
encrypted and that it will therefore likely be intercepted by
unauthorized parties. The specific wording is to be determined by
the implementation, but it should adequately capture the sense of
risk, given the widespread incidence of mass surveillance of email
traffic.
Similarly, an MUA MUST NOT attempt to "test" a particular Mail
Account configuration by submitting the user's authentication
credentials to a server, unless a TLS session meeting minimum
confidentiality levels has been established with that server. If
minimum confidentiality requirements have not been satisfied, the MUA
must explicitly warn that the user's password may be exposed to
attackers before testing the new configuration.
When establishing a new configuration for connecting to an IMAP, POP,
or SMTP submission server, based on SRV records, an MUA SHOULD verify
that either (a) the SRV records are signed using DNSSEC or (b) the
target Fully Qualified Domain Name (FQDN) of the SRV record matches
the original server FQDN for which the SRV queries were made. If the
target FQDN is not in the queried domain, the MUA SHOULD verify with
the user that the SRV target FQDN is suitable for use, before
executing any connections to the host. (See Section 6 of [RFC6186].)
An MUA MUST NOT consult SRV records to determine which servers to use
on every connection attempt, unless those SRV records are signed by
DNSSEC and have a valid signature. However, an MUA MAY consult SRV
records from time to time to determine if an MSP's server
configuration has changed and alert the user if it appears that this
has happened. This can also serve as a means to encourage users to
upgrade their configurations to require TLS if and when their MSPs
support it.