From b006c8f8092bb65477d599da961a1de74aecda23 Mon Sep 17 00:00:00 2001
From: rnsrk <robert@nasarek.org>
Date: Mon, 19 Jan 2026 09:10:13 +0100
Subject: [PATCH] small add for DNSSEC and MTA-STS

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index e734a0d..0afc141 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,11 @@ Run the unified diagnostics script from the repository root:
 ```
 This combines the previous `diagnostic.sh` and `health_check.sh` checks.
 
+## Mail Security TODOs
+- Enable DNSSEC at the DNS provider and ensure DS/DNSKEY are published.
+- Add TLSA (DANE) records after DNSSEC is active.
+- Verify MTA-STS policy and TLS-RPT DNS records after propagation.
+
 ## Install
 ### Prerequisites
 1) Copy the env and docker-compose.override.yml to the service directories via the script.