Summary: Mostly the same as last month, with significant progress on the DNS front, as infracom.nl's nameservers now handle TLSA lookups correctly (they now respond with valid denial of existence or actual TLSA records as appropriate).
The number of DANE-enabled domains that have also been sighted on Google's email transparency report has increased from 111 to 114, while the number of DNS zones with TLSA-enabled MX hosts has increased from 2615 to 2668. The overall count has increased from 171460 to 171738.
NOTE 1:
This month I've begun the transition to new backend code for the survey. The main visible change is that MX hosts that are, despite RFC requirements, CNAMEs for the real underlying host are no longer excluded from the survey. This leads to a small bump in the reported domain count (+81) that is due to the code change.
NOTE 2:
The survey only includes domains at least of whose "primary" MX hosts has secure TLSA records. The previous survey code skipped past any MX hosts that provably (DNSSEC-validated) had neither IPv4 nor IPv6 addresses (secure NXDOMAIN or NODATA). The new survey code makes this more difficult, and I may at some point stop including these domains (613 at last count).
As of today I count 171738 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are:
69168 domeneshop.no 60171 transip.nl 18330 udmedia.de 6611 bhosted.nl 1809 nederhost.net 1341 yourdomainprovider.net -- (includes former networking4all.net domains) 1002 ec-elements.com 512 core-networks.de 378 omc-mail.com 342 bit.nl
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de.
There are 2668 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2910) of distinct MX host server certificates that support the same ~171000 domains (this month the count includes all the MX hosts, rather just a single primary MX).
A related number is 3797 matching TLSA RRsets found for MX host TCP port 25. These certificates are vended by 3951 distinct MX hosts (some of which clearly employ a shared certificate).
The number of domains that at some point were listed in Gmail's email transparency report is 114 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 56 are in recent reports:
gmx.at lrz.de otvi.nl nic.br mail.de ouderportaal.nl registro.br posteo.de overheid.nl gmx.ch ruhr-uni-bochum.de pathe.nl open.ch tum.de uvt.nl anubisnetworks.com uni-erlangen.de xs4all.nl gmx.com unitymedia.de domeneshop.no mail.com web.de webcruitermail.no solvinity.com tilburguniversity.edu debian.org trashmail.com enron.email freebsd.org xfinity.com octopuce.fr gentoo.org xfinityhomesecurity.com comcast.net ietf.org bayern.de dd24.net isc.org bund.de gmx.net netbsd.org elster.de hr-manager.net openssl.org fau.de mpssec.net samba.org freenet.de t-2.net torproject.org gmx.de xs4all.net asf.com.pt jpberlin.de asp4all.nl
Of the ~172000 domains, 888 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 101. Below is a list of the 55 underlying MX hosts that serve these domains and whose TLSA records don't match reality:
Hall of Shame:
mail.dipietro.id.au h-hibernia.olnis-net.de dorothy.goldenhairdafo.net eumembers.stansoft.bg mx1.spamsponge.de mail.iaelu.net mx.delphij.com mail.stmartin-schwabach.de hs.kuzenkov.net mail.digitalwebpros.com mx.thorko.de oostergo.net demo.liveconfig.com smtp.flipmail.es cinnamon.nl intranet.nctechcenter.com mail.0pc.eu mail.e-rave.nl ny-do.pieterpottie.com palinet.eu mail.jekuiken.nl diablo.sgt.com mx.quentindavid.fr mail.myzt.nl tusk.sgt.com servmail.fr bounder.steelyard.nl mx1.wittsend.com mail.nonoserver.info mail.abanto-zierbena.org mx.bels.cz mail.bax.is beerstra.org gaia.nfx.cz mail.laukas.lt eumembers.datacentrix.org mail.b0red.de mx.datenknoten.me smtp3.amadigi.ovh mail.bg-netzwerk.de mx.giesen.me mail.pasion.ro mail.denniseffing.de completelyunoriginal.moe puggan.se mutt.lsexperts.de mail.castleturing.net mail.rostit.se mail.manima.de horse.cherrypet.net protector.rajmax.si www.mtg.de anubis.delphij.net h-hibernia.olnis-Net.de goldenhairdafo.net
The number of domains with bad DNSSEC support is 374. The top 10 DNS providers with problem domains are:
66 jsr-it.nl 26 active24.cz 25 tiscomhosting.nl 19 firstfind.nl 16 rdw.nl 9 metaregistrar.nl 9 ignum.com 8 ovh.net 8 loopia.se 7 rootdomains.nl
Around 46 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries. Only 5 of the DNS-broken domains appear in historical Google Email transparency reports:
tiviths.com.br tre-sp.jus.br trt1.jus.br trtrj.jus.br tse.jus.br
The associated DNS lookup issues are:
_25._tcp.mx.tiviths.com.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mx.tiviths.com.br/dnssec/ _25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/ _25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/ _25._tcp.dexter.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.dexter.tse.jus.br/dnssec/ _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/ _25._tcp.mandark.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mandark.tse.jus.br/dnssec/
[ See https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08, Much of the TLSA non-response issue seems to be related to a "feature" of Arbor Networks firewalls, that enables droping of DNS requests for all but the most common RRtypes. Do not make the mistake of enabling this firewall "feature". ]
The oldest outstanding DNS issue is another SOA signature issue at truman.edu dating back to Nov/2014:
http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/
I hope some day soon they'll start missing email they care about and take the time to resolve the problem.