On Wed, Apr 01, 2026 at 01:56:10AM -0400, Curtis Villamizar wrote:
> > At the scale of Gmail, and given Google's data storage and retrieval
> > capacity, MTA-STS policy storage is negligible noise not even worth a
> > moment's thought.
>
> Lookup speed can be an issue if storing that amount of policy. Best
> lookup is order log N so order log N disk reads. For 400M domains if
> you can fit 256 in an 8KB block (storing only domain name and an
> index, that's roughly 1M blocks so roughly 16 disk reads per lookup
> with less due to caching. Another way is to hash the domain name and
> do a lookup on the hash value, not requiring long names or variable
> length names in the lookup. A short hash with possible collisions
> would make comparisons easier and still work since collisions could be
> resolved. Of course that is 8GB of search storage so could be fit in
> RAM these days. I suppose with limited MTA-STS these days it is not
> yet an issue.
Google's storage SREs and distributed database designers have solved
this problem on a much larger scale than required for MTA-STS policy
lookup.
> > No downgrade resistance during policy refresh, but if policy refresh
> > happens before expiration, and is retried multiple times on error,
> > perhaps some resilience could be possible, but this takes effort
> > to get "right" and to prioritise downgrade resistance in the first
> > place.
>
> So even if no mail is sent for a while policy is refreshed?
Yes, if practical for a smaller site. Some might say that if Gmail
rarely sends you email, you don't really count as a mail recipient.
I'm not endorsing that view...
> Thanks for the public service announcement. I've managed to mess this
> up when generating new keys so a good reminder. I've been guilty of
> sloppy rollover practice, but getting better at it.
It is, in my view, better to not deploy DANE, than to deploy it so
poorly that it is broken a non-trivial fraction of the time, and
does not get fixed without external reminders.
Currently, out ~4.3M domains with DANE SMTP TLSA records for
their MX hosts, ~14k have at least one broken MX host... :-(
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
