[tptacek]

MTA-STS was standardized explicitly to support the (nearly universal) use case of mail providers without DNSSEC. Even O365, which ostensibly supports DANE/DNSSEC for email security, does so only for select customers and not for ordinary ones (go look for the TLSAs).