"DNS + CA" ? Don't you just mean "CA". And when you say "CA", don't you mean, "1 out of hundreds of CAs" ?
Besides there are no CA's for SMTP anyway. Encryption is entirely opportunistic, and self-signed certs are just as trusted as ones signed by one of the CA's that people use for web traffic.
The difference with DANE+SMTP is, all of a sudden a sending server will know that it must use TLS or not send the message. And the cert it receives must match the one published in the DNS. Not just one that is signed by one of any hundreds of CAs.
Besides there are no CA's for SMTP anyway. Encryption is entirely opportunistic, and self-signed certs are just as trusted as ones signed by one of the CA's that people use for web traffic.
The difference with DANE+SMTP is, all of a sudden a sending server will know that it must use TLS or not send the message. And the cert it receives must match the one published in the DNS. Not just one that is signed by one of any hundreds of CAs.