On Sat, Jul 25, 2020 at 01:43:23PM +0200, Martijn van Duren wrote:
> I'm not 100% sure what you mean, but let me give it a best effort.
> On Sat, 2020-07-25 at 11:00 +0200, Peter J. Philipp wrote:
> > Hi,
> > 
> > This is sorta a feature request.  A lot of people use dmarc to check for
> > incoming mails.  Is there a way to turn off dmarc checking in the smtpd?
> > This would be valuable for trusted sources such as mailing lists.
> This reads as if you want to disable checking on the receiving end,
> which is smtpd. This is not needed since smtpd has no support for
> DMARC, SPF, or DKIM verification at this moment.

Oh sorry then.  Well maybe keep it in mind in the future when this functionality
is put into OpenSMTPD, perhaps then.  Right now it's super annoying doing any 
posting, not that I can't handle it, it's more the economic footprint of 
posting.  Let me try to explain below.

> > Let me give you an example.  I mail 1000 bytes to openbsd-misc and there is
> > thousands of recipients on that mailing list.  When their software delivers
> > to these thousands I get a DNS request (I'm predicting 40 bytes in the 
> > question,
> > and no less than 40 bytes in the answer * thousands) that's already a 
> > minimum
> > of 80K bytes DNS traffic generated by a 1K byte mail.
> If you're worried about those numbers I would stop hosting DNS yourself
> and just put it at a company who can handle it.

I don't know if you're old enough to remember what a slashdotting is.  
In effect with all these dmarc requests out there you get a little slashdotting
and it makes writing on small hosts to large mailing lists costly.

This does have a natural "put your money where your mouth is", but it has an
unneeded economical footprint.  We're talking thousands of packets and MB of
volume for 1 little post (especially when you have DNSSEC enabled and reply
with a proof of non-existance to everyone).  Now you can imagine where this 
goes when there is a large ML and everyone posts on it.  Different parts of 
the Internet are lighting up and it's really a waste of electricity.

> > It would be cool if OpenBSD could set a "X-DMARC-VERIFIED" header or 
> > something
> > and based on a policy on every smtpd that receives this no dmarc dns request
> > is caused.  This would make me very happy.
> I'm not aware of this mail header, nor is google. Also this would make
> your mail susceptible for a man in the middle to disabling DMARC.
> But if you want this header you should be able to do this quite easily
> with a custom filter. The documentation is not installed by default, but
> a draft is available in the smtpd soures: smtpd-filters.7.

Something like this would be very good.  The individual person will not care.
So it's left to the makers of mail software to do something (if only for the
need to burn less coal to make electricity).  I may be noone but I think it's
worthy raising this as the trend especially in the OpenBSD community is to
be a small guy with a small self run network (I'm part of that).  In effect 
this independence is causing a miscalculated evil.  I'm just viewing this and 
saying "this could get out of control!".  Oh I can handle it, but what if we
grow 10x, 100x, 1000x, 10000x do I want to see this or do I sign off the
mailing lists?

If email was more like a multicasting it would be very efficient, but then
opensmtpd also wouldn't be needed anymore.  So we need to be aware of the
faults and side-effects of large unicasts that cause extra unicast lookups.

> > 
> > Is this all technically possible?
> > 
> > Best Regards,
> > -peter
> > 
> martijn@

Best Regards,

  • dmarc Peter J. Philipp
    • Re: dmarc Martijn van Duren
      • Re: dmarc Peter J. Philipp

Reply via email to