Summary: A slow month. The DANE domain count is now 3,923,543 (c.f. 3,924,107 last month).
The number of domains that return DNSSEC-validated replies in response to MX queries is 23,180,180 (up slightly from 23,141,061 last month). Thus DANE TLSA is deployed on ~16.92% of domains with DNSSEC. For more stats, see https://stats.dnssec-tools.org/. [ See the Credits[0] list below my signature. ]
A light at the end of the tunnel is that Microsoft are moving forward with enabling inbound DANE. Though the official start date is in Q1 2024, the first domain is already live, with its primary and secondary MX hosts DANE-enabled:
https://twitter.com/VDukhovni/status/1707817430125322421 https://stats.dnssec-tools.org/explore/?digitalcosmos.net
The 3rd and 4th MX hosts aren't yet on the new "mx.microsoft" platform.
As of today, I count ~3.92 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
This month Last Month ---------- ---------- 1322240 one.com 1330342 one.com 302353 hostpoint.ch 300967 hostpoint.ch 209052 infomaniak.ch 205928 infomaniak.ch 171630 transip.nl 171750 transip.nl 168815 mijndomein.nl 168545 mijndomein.nl 156229 jouwweb.nl 151627 jouwweb.nl 141433 argewebhosting.nl 144160 argewebhosting.nl 129838 simply.com 132421 simply.com 111275 hostnet.nl 111071 hostnet.nl 109926 domeneshop.no 109902 domeneshop.no 105948 loopia.se 106030 loopia.se 91048 webhostingserver.nl 91275 webhostingserver.nl 83031 forpsi.com 83195 forpsi.com 81293 zxcs.nl 77300 zxcs.nl 44103 protonmail.ch 43426 protonmail.ch 40754 antagonist.nl 40528 antagonist.nl 39341 active24.com 39981 active24.com 37235 webreus.nl 37575 webreus.nl 30037 pcextreme.nl 30373 pcextreme.nl 28501 xel.nl 28672 xel.nl
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month ----------- ---------- 11403 TOTAL 11375 TOTAL 3586 DE, Germany 3553 DE, Germany 1887 NL, Netherlands 1894 US, United States 1885 US, United States 1886 NL, Netherlands 864 FR, France 822 FR, France 452 CZ, Czechia 443 CZ, Czechia 360 GB, United Kingdom 369 GB, United Kingdom 264 FI, Finland 268 FI, Finland 203 CA, Canada 204 CA, Canada 179 AT, Austria 202 AT, Austria 165 SE, Sweden 167 SE, Sweden 148 CH, Switzerland 148 CH, Switzerland 146 DK, Denmark 144 DK, Denmark 144 AU, Australia 140 AU, Australia 125 SG, Singapore 123 SG, Singapore 90 PL, Poland 92 RU, Russia 85 RU, Russia 90 PL, Poland 65 JP, Japan 65 JP, Japan 55 BR, Brazil 50 BR, Brazil 52 NO, Norway 49 NO, Norway 42 IT, Italy 44 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
This month Last month ---------- ---------- 9295 TOTAL 8949 TOTAL 4201 NL, Netherlands 3857 NL, Netherlands 2602 DE, Germany 2596 DE, Germany 866 US, United States 883 US, United States 375 FR, France 363 FR, France 178 GB, United Kingdom 190 GB, United Kingdom 178 CZ, Czechia 176 CZ, Czechia 110 FI, Finland 111 FI, Finland 82 CA, Canada 85 CA, Canada 80 SE, Sweden 72 AU, Australia 72 AU, Australia 69 SE, Sweden 65 CH, Switzerland 62 CH, Switzerland 50 SG, Singapore 50 SG, Singapore 49 AT, Austria 48 AT, Austria 41 JP, Japan 41 JP, Japan 30 RU, Russia 30 RU, Russia 28 RO, Romania 30 RO, Romania 27 NO, Norway 27 DK, Denmark 26 BR, Brazil 25 BR, Brazil 24 DK, Denmark 23 NO, Norway 18 IE, Ireland 18 UA, Ukraine
There are 9,391 unique zones (9,398 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,808 (20,884 last month). These cover 21,102 distinct MX hosts (21,182 last month, some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email transparency report is 1,062 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 548 are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.92 million DANE domains, 14,262 (14,274 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,873 (2,180 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are:
178 mx2.tkservers.com 133 mx2.solutive.nl 42 mail.itcomputers.net 37 mx04.speicher-werk.de 35 mx1.mdbraber.com 32 relay.csngroep.nl 24 semark.dk 23 smtp2.kruik-it.nl 20 fsn1-c04.xemo-net.de 19 web1.sys.ccs-baumann.de
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1,057 (1,357 last month). The top 10 name server operators with problem domains are:
This Month Last month ---------- ---------- 715 neostrada.nl 963 neostrada.nl 70 worldnic.com 93 worldnic.com 60 ebola.cz 65 ebola.cz 32 openprovider.nl 39 openprovider.nl 14 sectigoweb.com 14 sectigoweb.com 13 register.com 13 register.com 10 dnssrv.nl 12 dnssrv.nl 8 ispapi.net 9 ispapi.net 7 vultr.com 7 vultr.com 7 cloudns.net 7 resolver.domains
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports:
mailazy.net
-- Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency reports:
univie.ac.at web.de hoogenboezem-nieuwsbrieven.nl gmx.at westlotto.de huurexpert.nl vbv.at aeldresagen.dk hz.nl atmozreunion.be allbuy.dk ikdeburger.nl boozyshop.be annebrauner.dk inspirerendleven.nl triodos.be annes-atelier.dk interconnect.nl vanbreda.be australian-bodycare.dk interim-netwerk.nl cetelemnegocie.com.br avabeauty.dk jo-lyn.nl dwvmail.com.br bambustoej.dk kiesrijk.nl e-negociacao.com.br barons.dk lcrdm.nl e-renegocie.com.br bigsaver.dk liveatamsterdamsebos.nl zaaztelecom.com.br bog.dk mail-studio.nl nic.br buchcopenhagen.dk mailmore.nl registro.br camillakroeyer.dk mailon.nl activfitness-news.ch casanova.dk mailplus.nl blackout-bonusclub.ch computerworld.dk managementboek.nl gmx.ch damask.dk markteffectmail.nl hostpoint.ch danielspengetips.dk mcmta.nl infomaniak.ch danskebank.dk messen.nl migros-runnwin.ch datafordeler.dk mijndomein.nl msochrono.ch def.dk minbzk.nl open.ch densidsteflaske.dk mindef.nl protonmail.ch dfi.dk mm1.nl sherlockhomes.ch dk-hostmaster.dk nederweert.nl sms-gagnant.ch fibianet.dk netpoint.nl switch.ch foraeldresparring.dk netpointfactoring.nl simplelogin.co fvst.dk nieuwsservice-rvo.nl albourne.com gastrotools.dk nmnhevents.nl anonaddy.com globestudios.dk notbranded.nl ansigtsyogaonline.com idelig.dk noties.nl cm.com iphoneopladere.dk ns.nl collarofsweden.com kodbilen.dk nuudcare.nl colourfulrebel.com konkurspriser.dk nuwegexclusief.nl connectsb.com kystfisken.dk otys.nl danskebank.com labelking.dk ouderportaal.nl datev.com lacabra.dk overheid.nl denhaag.com lederstof.dk oxilionhosted.nl exegy.com lncrew.dk partijvoordedieren.nl fabfilter.com lysetikloster.dk partnermail.nl farmergracy.com mobilcovers.dk pipdenhaag.nl fastware-hosting.com musclehouse.dk podiumcadeaukaart.nl fromanteel-watches.com netic.dk politie.nl gmx.com nfinitybeauty.dk pp-prd.nl habr.com nimara.dk previder.nl highcharts.com nordd.dk prorun-mail.nl infomaniak.com nota.dk quicknet.nl ingthink.com opdagverden.dk rdw.nl intakt.com punktum.dk rijksoverheid.nl itskaos.com seniornews.dk rivm.nl johnbeerens.com shapeit.dk rvo.nl joomlapolis.com skjold-burne.dk sans-mail.nl jula.com smoon.dk schuurman-schoenen.nl kabayarefashion.com sneakerzone.dk shampoobars.nl kheaa.com stil.dk shoesme.nl kolabnow.com stpt.dk sietskescholten.nl leszexpertsfle.com strongcurves.dk sizzthebrand.nl librti.com thenap.dk smartwatchbanden.nl mactabeauty.com thesneakerstore.dk sportrusten.nl mail.com trueliving.dk ssonet.nl mailzerver.com venderbys.dk stater.nl medimeisterschaften.com vin-huset.dk svb.nl mixx.com vind.dk technicus.nl mplbeauty.com yuaiahaircare.dk telefoonglaasje.nl nanolearning.com tilburguniversity.edu toms.nl nine-pine.com just.ee transip.nl offshorecorptalk.com maarahvapood.ee triodos.nl one.com minuvalik.ee truetickets.nl orsys.com rik.ee tudelft.nl ottobredesign.com surveyturtle.ee uitgeverijpica.nl pieter-pot.com turunduslabor.ee upcmail.nl polyas.com zone.ee uvt.nl pompomlondon.com myownconference.email uwv.nl protonmail.com spam-filter.email vacaturesonline.nl protonvpn.com spotler.email vandale.nl renworkshops.com talentech.email vimexx.nl run-motion.com nuudcare.es vogeldagboek.nl sankakucomplex.com triodos.es vunzigedeuntjes.nl scorecloud.com egu.eu watchbandjes-shop.nl serverclienti.com finesoftware.eu waternet.nl solvinity.com iaccept.eu wehkampfinance.nl stasdock.com litebit.eu werkzoeken.nl stater.com zone.eu wonenmetlef.nl stellarequipment.com zonevs.eu ziggo.nl tcs.com danskebank.fi zorgmail.nl theintercept.com handelsbanken.fi zoweg-mail.nl thepcw.com metaburn.fi 8-bits.no thepcwholesale.com raumanteatteri.fi annabellstefanussen.no thesmmacademy.com rockdenim.fi babybanden.no triodos.com traficom.fi bergengokart.no tutanota.com ac-strasbourg.fr bull-ski-kajakk.no up2staff.com braceletsmartwatch.fr chillout.no veganallsorts.com compagnie-des-sens.fr domeneshop.no vivaldi.com nuudcare.fr dressmykid.no webcruiter.com passefranceallemagne.fr frivannsliv.no webmailph.com privea.fr godvar.no win-rar.com tid.gov.hk guttelus.no workvector.com fidesz.hu handelsbanken.no xfinity.com italiamail.hu hyttefeber.no xfinityhomesecurity.com bluebiz.info idrettenonline.no xfinitymobile.com eurocontrol.int kashmina.no bncr.fi.cr infinex.io lagerpriser.no airbank.cz rootnet.io marikrogshus.no akce-incomputer.cz nuudcare.it mystuff.no balikovna.cz neolink.link nordicprint.no bewooden.cz anonaddy.me norskgrammatikk.no cokoladovnajanek.cz pm.me raskebriller.no cpost.cz proton.me rushtrampoline.no cro.cz army.mil sillysanta.no csob.cz dla.mil smaaungene.no cuni.cz health.mil spillfabrikken.no dashofer.cz jten.mil strikkia.no dedra.cz mail.mil atelkamera.nu e-kondomy.cz navy.mil fitnessnu.nu ecps.cz nga.mil goget.nu fio.cz osd.mil lenhud.nu gynkrup.cz socom.mil aarding.org hypotecnibanka.cz uscg.mil agirpourlenvironnement.org innogy.cz usmc.mil debian.org itesco.cz apnic.net freebsd.org kb.cz benjaminfulford.net fridaysforfuture.org klenotyaurum.cz comcast.net gentoo.org klubpevnehozdravi.cz ewetel.net ietf.org ksporting.cz ficbook.net isc.org manymail.cz fivem.net mailbox.org mbank.cz gmx.net netbsd.org mfcr.cz graphistepro.net openssl.org mkluzkoviny.cz habramail.net ozlabs.org mojedatovaschranka.cz hr-manager.net postfix.org mrakyhracek.cz inexio.net torproject.org muni.cz intares.net biotechnologia.com.pl nic.cz mailanyone.net brebank.com.pl o2.cz masterinter.net mobily.com.sa optimail.cz mijngezondheid.net arbetsformedlingen.se outlet-alpine.cz mpssec.net australian-bodycare.se p-info.cz procurios.net bearplayshop.se poptavej.cz ripe.net bilprovningen.se pre.cz riseup.net du.se rozhlas.cz s-qrc.net ecster.se scrptd.cz soverin.net egensajt.se smtp.cz speedkom.net ellevio.se sparkys.cz t-2.net fashion-copenhagen.se stoklasa.cz amsterdam.nl handelsbanken.se tiscali.cz amsterdamwinefestival.nl hellomantle.se vas-server.cz aquastorexl.nl huskvarnafolketspark.se virusfree.cz belastingdienst.nl koreanbeauty.se vitalpoint.cz beterspellen.nl livlyclothing.se vshosting.cz bewustpuur.nl lnu.se zafido.cz bhosted.nl lomervarde.se zdravestravovani.cz blushfashionstore.nl loopia.se zonky.cz bobo.nl merchsweden.se bayern.de body-supplies.nl minmyndighetspost.se brandenburg.de boekwinkeltjes.nl naprapatlandslaget.se bund.de bolerolimonadewinkel.nl nordicprint.se bundesregierung.de boozyshop.nl performcollection.se datev.de box.nl polisen.se deutsch-franzoesischer-freundschaftspass.de bruut.nl silverdotter.se dfn.de burgernet.nl skatteverket.se ekom21.de caracamilla.nl skolverket.se elster.de carre.nl snbostader.se ewetel.de casema.nl soleplus.se fau.de cbr.nl svenskhusman.se freenet.de chello.nl teknikdelar.se gmx.de clubplanner.nl theletter.se huellen-shop.de degros.nl websupport.se jpberlin.de deijsvogel.nl agatinsvet.sk lmu.de deonlinetandarts.nl fio.sk lrz.de derooijfotografie.nl kadernickyservis.sk mail.de desan.nl lenivakucharka.sk mensa.de dewoningzoeker.nl mklozkoviny.sk mpg.de dictu.nl nakupujzdravo.sk posteo.de digid.nl rondogo.sk ruhr-uni-bochum.de dimehouse.nl toptop.sk smartwatcharmbaender.de dorcas.nl zapardrobnych.sk stwm.de druten.nl zeit-des-wandels.tv sys4.de duo.nl clientnews3.co.uk tu-darmstadt.de esuals.nl millieandblake.co.uk tum.de expeditionfestival.nl nuudcare.co.uk tutanota.de extinctionrebellion.nl thewordman.co.uk uni-augsburg.de ezorg.nl triodos.co.uk uni-bielefeld.de fivecityspa.nl nuudcare.us uni-erlangen.de haarlem.nl quantum-services.us uni-muenchen.de hobbygigant.nl ru.ac.za vicinityclo.de home.nl