Re: You know something's wrong
You're absolutely right, nobody in the entire history of the internet ever logged in as user@server.domain.com.
It would be absolutely impossible to query server.domain.com to authenticate user. You could never trust server.domain.com with DANE and you could never trust the user with a certificate instead of a password.
It's utterly unworkable. We must stick with crackable passwords and "Log in with Bigcorp".