Nice data: stats.dnssec-tools.org Nearly 2M domains with DNSSEC and MX pointing to host with DANE records. But under 5500 actual MX's with DANE records. IOW almost everyone's mail is outsourced to big providers...
Conversation
Replying to
I have attestation.app set up to send out the automated alert emails that are part of the service with OpenSMTPD + dkimproxy but I simply haven't had time to do more. Forwarding emails sent to the GrapheneOS domains is a placeholder until there's time to set something up.
2
Replying to
It's not currently supported by OpenSMTPD which is the current mail server:
github.com/OpenSMTPD/Open
I don't know what happened with their work on implementing it. To have DANE verification in the short term I'd need to use a different mail server, which isn't very appealing.
2
If I run the mail server on another server to share it across attestation.app and grapheneos.org, AttestationServer would have a remote connection via SMTPS:
github.com/GrapheneOS/Att
I'd probably need to deal with TLS at a lower level to pin a certificate there.
2
I was reviewing this code in anticipation of using it and it turns out JavaMail requires manually enabling RFC 2595 tools.ietf.org/html/rfc2595 verification due to backwards compatibility. It validates certificates by default but doesn't check the hostname...