Summary: The DANE domain count is now 205,351. Much of the increase is the result of better (though still incomplete) coverage of the ".no" TLD, but some is due to the more gradual steady increase in the breadth of adoption. I hope to broaden the coverage further in May.

The number DNSSEC domains in the survey stands at 6,017,669, thus DANE TLSA is deployed on 3.41% of domains with DNSSEC.

Data graciously provided by Gmail shows that 16,170 of the DANE domains have received recent email from at least 5 senders. And 2449 (vs. 1,542 a year ago out of a then total 137,244 domains) of the domains have received at least 50 recent messages.

As of today I count 205,351 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are:

90580 domeneshop.no (result of better .no coverage) 67122 transip.nl 19107 udmedia.de 6142 bhosted.nl 1787 nederhost.nl 1214 yourdomainprovider.net 878 hi7.de (name change from ec-elements.com) 751 surfmailfilter.nl 549 core-networks.de 456 omc-mail.com

The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 10 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented):

1374 DE, Germany 922 US, United States 490 NL, Netherlands 358 FR, France 157 GB, United Kingdom 125 CZ, Czech Republic 88 CA, Canada 65 SE, Sweden 56 CH, Switzerland 49 SG, Singapore

IPv6 is still comparatively rare for MX hosts, and the top 10 countries by DANE MX host IPv6 GeoIP are (same top 6).

782 DE, Germany 474 US, United States 286 NL, Netherlands 221 FR, France 94 GB, United Kingdom 76 CZ, Czech Republic 37 SE, Sweden 26 SG, Singapore 24 CH, Switzerland 16 IE, Ireland

There are 3264 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.

The number of published MX host TLSA RRsets found is 4675. These cover 4933 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).

The number of domains that at some point were listed in Gmail's email transparency report is 132 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 71 are in recent reports:

gmx.at ruhr-uni-bochum.de politie.nl travelbirdbelgique.be tum.de uvt.nl nic.br uni-erlangen.de xs4all.nl registro.br unitybox.de domeneshop.no gmx.ch unitymedia.de handelsbanken.no open.ch web.de webcruitermail.no anubisnetworks.com dk-hostmaster.dk aegee.org gmx.com egmontpublishing.dk debian.org mail.com tilburguniversity.edu freebsd.org solvinity.com insee.fr gentoo.org trashmail.com octopuce.fr ietf.org xfinity.com comcast.net isc.org xfinityhomesecurity.com dd24.net netbsd.org xfinitymobile.com dns-oarc.net openssl.org bayern.de gmx.net samba.org bund.de hr-manager.net torproject.org elster.de mpssec.net asf.com.pt fau.de t-2.net handelsbanken.se freenet.de xs4all.net minmyndighetspost.se gmx.de bhosted.nl skatteverket.se jpberlin.de boozyshop.nl t-2.si lrz.de ouderportaal.nl mail.co.uk mail.de overheid.nl govtrack.us posteo.de pathe.nl

Of the ~205000 domains, 1502 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 258. Some of these also have MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. Goging forward I'm no longer listing the problem MX hosts here. Instead, I am contributing data to the github project that tracks domains with DANE failures:

https://github.com/danefail/list

Please open issues or pull requests if you domains that are not listed. To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:

https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3

http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email of any kind, the number of "real" email domains with bad DNSSEC support stands at 110. The top 10 name server operators with problem domains are:

8 tse.jus.br 8 psb1.org 8 nazwa.pl 7 active24.cz 5 tiscomhosting.nl 4 ignum.com 4 glbns.com 4 centralpark.se 4 army.mil 4 1cocomo.com

No domains all whose nameservers have broken denial of existsnce appear in historical Google reports.