Summary: The DANE domain count is now 3,987,641 (3,949,527 last month).

The number of domains that return DNSSEC-validated replies in response to MX queries is 23,197,449 (up slightly from 23,173,417 last month). Thus DANE TLSA is deployed on ~17.18% of domains with DNSSEC. For more stats, see https://stats.dnssec-tools.org/. [ See the Credits[0] list below my signature. ]

Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records matching a Let's Encrypt issuing CA, please note important upcoming changes in Let's Encrypt certificate issuance:

https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY65... https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2C...

As of today, I count ~3.99 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.

This month Last Month ---------- ---------- 1314010 one.com 1314953 one.com 305329 hostpoint.ch 303663 hostpoint.ch 216411 infomaniak.ch 212629 infomaniak.ch 172489 transip.nl 172311 transip.nl 170058 mijndomein.nl 169592 mijndomein.nl 166814 jouwweb.nl 161972 jouwweb.nl 138337 argewebhosting.nl 139685 argewebhosting.nl 132653 simply.com 131004 simply.com 111533 hostnet.nl 111235 hostnet.nl 109976 domeneshop.no 109839 domeneshop.no 106479 loopia.se 106090 loopia.se 89713 webhostingserver.nl 90348 webhostingserver.nl 83026 forpsi.com 83074 forpsi.com 81215 zxcs.nl 81323 zxcs.nl 46191 protonmail.ch 44928 protonmail.ch 41111 antagonist.nl 40974 antagonist.nl 38611 active24.com 39102 active24.com 36576 webreus.nl 36892 webreus.nl 29196 pcextreme.nl 29674 pcextreme.nl 28283 xel.nl 28404 xel.nl

The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).

This month Last month ----------- ---------- 11870 TOTAL 11663 TOTAL 3785 DE, Germany 3687 DE, Germany 1942 NL, The Netherlands 1932 NL, Netherlands 1883 US, United States 1888 US, United States 921 FR, France 883 FR, France 479 CZ, Czechia 458 CZ, Czechia 366 GB, United Kingdom 364 GB, United Kingdom 272 FI, Finland 267 FI, Finland 214 CA, Canada 213 CA, Canada 187 CH, Switzerland 176 AT, Austria 183 AT, Austria 171 CH, Switzerland 169 SE, Sweden 161 SE, Sweden 152 DK, Denmark 147 DK, Denmark 145 AU, Australia 141 AU, Australia 119 SG, Singapore 123 SG, Singapore 102 RU, Russia 107 RU, Russia 89 PL, Poland 88 PL, Poland 63 NO, Norway 64 JP, Japan 61 JP, Japan 60 NO, Norway 50 BR, Brazil 51 BR, Brazil 43 IT, Italy 47 IT, Italy

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:

This month Last month ---------- ---------- 9515 TOTAL 9445 TOTAL 4229 NL, The Netherlands 4224 NL, Netherlands 2724 DE, Germany 2659 DE, Germany 868 US, United States 881 US, United States 401 FR, France 389 FR, France 198 CZ, Czechia 189 CZ, Czechia 183 GB, United Kingdom 177 GB, United Kingdom 112 FI, Finland 110 FI, Finland 83 CA, Canada 87 CA, Canada 78 SE, Sweden 81 SE, Sweden 76 AU, Australia 72 AU, Australia 74 CH, Switzerland 68 CH, Switzerland 52 AT, Austria 49 SG, Singapore 46 SG, Singapore 47 AT, Austria 39 JP, Japan 43 RU, Russia 32 RU, Russia 39 JP, Japan 29 RO, Romania 30 BR, Brazil 28 NO, Norway 28 RO, Romania 28 BR, Brazil 26 NO, Norway 22 DK, Denmark 23 DK, Denmark 17 IE, Ireland 18 LT, Lithuania

There are 10,192 unique zones (9,773 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 20,854 (20,781 last month). These cover 21,158 distinct MX hosts (21,077 last month, some MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's email transparency report is 1,135 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 614 are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~3.99 million DANE domains, 14,431 (14,236 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,655 (1,873 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are:

172 mx2.tkservers.com 40 svr3.it-df.net 35 mx1.mdbraber.com 27 mail.orionpanel.nl 23 smtp2.kruik-it.nl 19 web1.sys.ccs-baumann.de 19 fsn1-c04.xemo-net.de 15 mail.nationaalarchief.nl 15 artemis.strebsjig.net 13 smtp.philinnon.net

To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:

https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 838 (901 last month). The top 10 name server operators with problem domains are:

This Month Last month ---------- ---------- 608 neostrada.nl 665 neostrada.nl 61 worldnic.com 62 worldnic.com 22 openprovider.nl 24 openprovider.nl 14 sectigoweb.com 14 sectigoweb.com 13 register.com 13 register.com 8 ispapi.net 9 dnssrv.nl 8 dnssrv.nl 8 ispapi.net 7 vultr.com 7 vultr.com 6 resolver.domains 6 resolver.domains 6 forpsi.net 6 forpsi.net

If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.

Just one of the domains whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports:

mailazy.net

-- Viktor.

[0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.

[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency reports:

vbv.ag tutanota.de hro.nl univie.ac.at uni-augsburg.de huurexpert.nl gmx.at uni-bielefeld.de ikdeburger.nl vbv.at uni-erlangen.de inspirerendleven.nl boozyshop.be uni-muenchen.de interconnect.nl eos-contentia.be vicinityclo.de interim-netwerk.nl triodos.be web.de josephinajewelry.nl nra.bg westlotto.de kiesrijk.nl cetelemnegocie.com.br aeldresagen.dk maastrichtuniversity.nl dwvmail.com.br allbuy.dk mailmore.nl e-negociacao.com.br anna-hjorth.dk mailon.nl e-renegocie.com.br annebrauner.dk mailplus.nl pn1.com.br australian-bodycare.dk managementboek.nl zaaztelecom.com.br avabeauty.dk markteffectmail.nl defesa.gov.br bambustoej.dk mcmta.nl nic.br barons.dk mijndomein.nl registro.br bigsaver.dk minbzk.nl activfitness-news.ch bisgaardshoes.dk mindef.nl blackout-bonusclub.ch bog.dk mm1.nl creditum.ch borgerforslag.dk nieuwsservice-rvo.nl escalade.ch bymelanie.dk notbranded.nl gmx.ch camillakroeyer.dk noties.nl handy-abovergleich.ch casanova.dk ns.nl hostpoint.ch champagneklubben.dk nuudcare.nl infomaniak.ch cillouettes.dk nuwegexclusief.nl msochrono.ch computerworld.dk opnaarwonderland.nl open.ch damask.dk ouderenfonds.nl protonmail.ch danielspengetips.dk ouderportaal.nl sherlockhomes.ch danskebank.dk overheid.nl sms-gagnant.ch denmentalekriger.dk oxilionhosted.nl wog.ch densidsteflaske.dk partijvoordedieren.nl simplelogin.co dfi.dk partnermail.nl aim-care.com dressforsuccess.dk podiumcadeaukaart.nl albourne.com ens.dk politie.nl also.com fibianet.dk pp-prd.nl anonaddy.com foraeldresparring.dk previder.nl ansigtsyogaonline.com gastrotools.dk prorun-mail.nl boozyshop.com globestudios.dk pvv.nl canva-facile.com hook-up.dk quicknet.nl cm.com hostedsepo.dk rdw.nl collarofsweden.com idelig.dk rijksoverheid.nl connectsb.com iphoneopladere.dk rvig.nl danskebank.com ixstudioscph.dk rvo.nl datev.com kagegrisen.dk sans-mail.nl denhaag.com kisserpaludan.dk schuurman-schoenen.nl explorer-hotels.com kk.dk scorion.nl fabfilter.com kodbilen.dk shampoobars.nl farmergracy.com konkurspriser.dk shapeit.nl fastware-hosting.com kystfisken.dk shoesme.nl flaneurhomme.com lacabra.dk sietskescholten.nl fromanteel-watches.com lammeskindet.dk sizzthebrand.nl getpaidopportunities.com lederstof.dk smartwatchbanden.nl gmx.com mobilcovers.dk snowbass.nl goodforme.com musclehouse.dk spamservice.nl habr.com netic.dk sportrusten.nl headachecalendar.com nexsmart.dk ssonet.nl highcharts.com nfinitybeauty.dk stater.nl infomaniak.com nimara.dk svb.nl ingthink.com nordd.dk svr.nl intakt.com nordicsheep.dk technicus.nl itskaos.com nota.dk telefoonglaasje.nl johnbeerens.com online-mode.dk thealphamen.nl joomlapolis.com opdagverden.dk transip.nl jula.com pengeogfrihed.dk triodos.nl kabayarefashion.com perfectjeans.dk truetickets.nl kae-cosmetici.com qookware.dk tudelft.nl kantarresearch.com sengefabrikken.dk uitgeverijpica.nl kheaa.com seniornews.dk upcmail.nl leszexpertsfle.com shapeit.dk uvt.nl librti.com skjold-burne.dk uwv.nl mail.com smoon.dk vacaturesonline.nl mailzerver.com sneakerzone.dk vandale.nl marsblade.com stil.dk vimexx.nl meriamecouture.com sygeforsikring.dk vluchtelingenwerk.nl mixx.com thenap.dk vunzigedeuntjes.nl mplbeauty.com thesneakerstore.dk watchbandjes-shop.nl nanolearning.com trueliving.dk waternet.nl nine-pine.com viggo.dk wehkampfinance.nl novashops.com vin-huset.dk werkzoeken.nl offshorecorptalk.com vind.dk ziggo.nl one.com yuaiahaircare.dk zorgmail.nl orsys.com tilburguniversity.edu ankerstjerne.no ottobredesign.com biotheka.ee annabellstefanussen.no pieter-pot.com holt.ee babybanden.no pompomlondon.com maarahvapood.ee bergengokart.no protonmail.com minuvalik.ee bull-ski-kajakk.no run-motion.com turunduslabor.ee chillout.no runbox.com myownconference.email day-et.no sankakucomplex.com spam-filter.email domeneshop.no scorecloud.com spotler.email dressmykid.no serverclienti.com nuudcare.es godvar.no sisuknitwear.com triodos.es guttelus.no sneakerjeans.com egu.eu handelsbanken.no solvinity.com finesoftware.eu hoppin.no speciale-offre.com iaccept.eu hyttefeber.no sportnotch.com litebit.eu idrettenonline.no stasdock.com mailplatform.eu kashmina.no stater.com zerolime.eu lagerpriser.no stellarequipment.com zonevs.eu marikrogshus.no tcs.com danskebank.fi modostore.no the-vfl.com fsol.fi mystuff.no theintercept.com handelsbanken.fi nordiskbylien.no thepcw.com metaburn.fi norskgrammatikk.no thepcwholesale.com sillysanta.fi raskebriller.no thesmmacademy.com ac-strasbourg.fr rushtrampoline.no thingsilikethingsilove.com boozyshop.fr smaaungene.no triodos.com braceletsmartwatch.fr spillfabrikken.no tutanota.com compagnie-des-sens.fr strikkia.no up2staff.com edtm-actu.fr suksessmednetthandel.no veganallsorts.com nuudcare.fr svippr.no vivaldi.com oo2.fr veronicalill.no webcruiter.com passefranceallemagne.fr analysedanmark.nu win-rar.com privea.fr atelkamera.nu xfinity.com fvap.gov goget.nu xfinityhomesecurity.com nsa.gov hallbarhalsa.nu xfinitymobile.com tid.gov.hk lenhud.nu bncr.fi.cr fidesz.hu agirpourlenvironnement.org airbank.cz italiamail.hu checkmyads.org akce-incomputer.cz bluebiz.info debian.org amenit.cz eurocontrol.int freebsd.org balikovna.cz infinex.io fridaysforfuture.org bewooden.cz nuudcare.it gentoo.org cd.cz neolink.link ietf.org cokoladovnajanek.cz etat.lu isc.org cpost.cz nic.lv mailbox.org creammy.cz anonaddy.me mailop.org csob.cz pm.me netbsd.org csobstavebni.cz proton.me ozlabs.org cuni.cz army.mil postfix.org dashofer.cz dla.mil samba.org dedra.cz dma.mil torproject.org e-kondomy.cz health.mil biotechnologia.com.pl ecps.cz jten.mil asf.com.pt ekokoza.cz mail.mil mobily.com.sa fio.cz navy.mil arbetsformedlingen.se hobynaradi.cz nga.mil australian-bodycare.se hypotecnibanka.cz osd.mil bearplay.se innogy.cz socom.mil bearplayshop.se itesco.cz spaceforce.mil bidflow.se kb.cz uscg.mil bilprovningen.se klenotyaurum.cz usmc.mil crtzoo.se klubpevnehozdravi.cz comcast.net ecster.se ksporting.cz ewetel.net egensajt.se manymail.cz ficbook.net ellevio.se maxmax.cz fivem.net epochtimes-mejl.se mbank.cz gmx.net fashion-copenhagen.se mfcr.cz habramail.net handelsbanken.se mindsoft.cz hr-manager.net hellomantle.se mkluzkoviny.cz inexio.net innebandy24.se mojedatovaschranka.cz mailanyone.net jaramba.se mrakyhracek.cz masterinter.net klasspengar.se muni.cz mijngezondheid.net koreanbeauty.se nic.cz mpssec.net kulturaktiebolaget.se nilia.cz octopoos.net livlyclothing.se nku.cz procurios.net lnu.se o2.cz ripe.net lomervarde.se opravdovezlociny.cz riseup.net loopia.se optimail.cz s-qrc.net malarfabriken.se outlet-alpine.cz soverin.net merchsweden.se p-info.cz t-2.net minmyndighetspost.se pivoteka.cz amsterdam.nl nordicsheep.se poptavej.cz amsterdamwinefestival.nl performcollection.se scrptd.cz aquastorexl.nl polisen.se server4u.cz bankhoesdiscounter.nl refitness.se shopex.cz belastingdienst.nl samblamail.se smtp.cz beterinbeleggen.nl sillysanta.se sparkys.cz beterspellen.nl silverdotter.se stoklasa.cz bewustpuur.nl skatteverket.se tefal.cz bhosted.nl skolverket.se thinline.cz blushfashionstore.nl snbostader.se vas-server.cz bobo.nl soleplus.se vitalpoint.cz body-supplies.nl teeshoppen.se vshosting.cz bolerolimonadewinkel.nl teknikdelar.se zafido.cz boozyshop.nl theletter.se zdravestravovani.cz box.nl websupport.se zlocinozrouti.cz bruut.nl agatinsvet.sk zonky.cz burgernet.nl bewooden.sk bayern.de carre.nl coopka.sk brandenburg.de casema.nl edirect.sk bund.de cbr.nl fio.sk bundesregierung.de chello.nl gravirovane.sk datev.de clubplanner.nl hecht.sk dfn.de csvjongholland.nl lenivakucharka.sk elster.de degros.nl mamaaja.sk ewetel.de derooijfotografie.nl mklozkoviny.sk fau.de desan.nl mnforce-panel.sk freenet.de dewebmakers.nl nakupujzdravo.sk gmx.de dictu.nl nlp-akademia.sk hi7.de digibtw.nl partner.sk huellen-shop.de digid.nl penzionmara.sk jpberlin.de dimehouse.nl poziadavka.sk lmu.de domain-registry.nl rondogo.sk lrz.de dorcas.nl travelmail.sk mail.de duo.nl zapardrobnych.sk mensa.de eabstest.nl zeit-des-wandels.tv mindline-analytics.de efactuurdirect.nl afinepairofshoes.co.uk mpg.de esuals.nl clientnews3.co.uk posteo.de extinctionrebellion.nl millieandblake.co.uk ruhr-uni-bochum.de ezorg.nl nuudcare.co.uk sifjakobs.de frfc1908.nl thewordman.co.uk smartwatcharmbaender.de hobbygigant.nl triodos.co.uk sys4.de home.nl nuudcare.us taures.de hostingpeople.nl quantum-services.us tu-darmstadt.de hostnet.nl ru.ac.za tum.de hr.nl