Putting user keys in DNS is an obvious mistake: deeply connected to DNS is the idea that the data in DNS is public. It requires heroic attempts like NSEC3 to keep data private and even NSEC3 is not enough. Trying to put list of users (mail addresses) in DNS is a mistake.

That said, the only reason for MTA-STS seems to be that some people don't like DNSSEC. From RFC 8461 "Related Technologies The DNS-Based Authentication of a Named Entities (DANE) TLSA record [RFC7672] is similar, in that DANE is also designed to upgrade unauthenticated encryption or plaintext transmission into authenticated, downgrade-resistant encrypted transmission. DANE requires DNSSEC [RFC4033] for authentication; the mechanism described here instead relies on certification authorities (CAs) and does not require DNSSEC, at a cost of risking malicious downgrades."

When you say "some people don't like DNSSEC", you're sort of dancing around the fact that the people who don't like it are some of the most important organizations on the Internet; to wit: all the major mail providers.

Which is fine. Do I really care about the security of Gmail? Yahoo? Hotmail?

For me the important thing is that all TLDs I care about support DNSSEC. So I can implement DNSSEC-based security locally. If other people want to play a different game, it is mostly fine with me.

The only annoying part is that browsers refuse to do DANE validation but firefox somehow is very quick to jump on the DoH bandwagon.

I don't know. Do you ever email people? If so: yes, you do.

It doesn't really matter that you can configure your own little island of DNSSEC since you'll inevitably depend on one of the resources in, like, the whole rest of the Internet, virtually none of which signs zones with DNSSEC. This really all is just security theater.

I assume that when you say 'virtually none', you are aware that more than 50% of the dot-nl domains (so around 3 million) are DNSSEC signed. Furthermore, more 60% of the DNS queries that reach the servers for the dot-nl zone are from validating resolvers.

I do not care about the thousands of European domains that are signed because domain hosting firms automatically enable it and sign zones for their customers, and neither should you, since that is obviously security theater.

In the unlikely event that anyone is reading the thread this deeply, you can go to https://dnssec-name-and-shame.com and try to find a big tech firm other than Cloudflare (which has a DNSSEC product) and (heh) Comcast that uses it.

It is important, because it is very important to have production traffic.

If you live in a centralised internet then what those big parties do is important.

I don't care what version of SSH any of those big parties are running.

Many services have a decentralised version. And when you really care about security, it is worth setting up local servers instead of hoping that those big parties really give you the service you need.

I flat-out don't understand what argument you're trying to make here. My response to your claim that DNSSEC is widespread because of signed .NL domains was simple: that's because registrars in .NL do that for zones automatically, holding the keys themselves. That's simply theater.