Summary: The DANE domain count is now 3,924,107 (c.f. 3,912,433 last month).

The number of domains that return DNSSEC-validated replies in response to MX queries is 23,141,061 (up from 22,903,540 last month). Thus DANE TLSA is deployed on ~16.95% of domains with DNSSEC. For more stats, see https://stats.dnssec-tools.org/. [ See the Credits[0] list below my signature. ]

As of today, I count ~3.92 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.

This month Last Month ---------- ---------- 1330342 one.com 1333382 one.com 300967 hostpoint.ch 299458 hostpoint.ch 205928 infomaniak.ch 203039 infomaniak.ch 171750 transip.nl 171198 transip.nl 168545 mijndomein.nl 168858 mijndomein.nl 151627 jouwweb.nl 146592 jouwweb.nl 144160 argewebhosting.nl 144707 argewebhosting.nl 132421 simply.com 132528 simply.com 111071 hostnet.nl 111147 hostnet.nl 109902 domeneshop.no 109837 domeneshop.no 106030 loopia.se 105606 loopia.se 91275 webhostingserver.nl 91554 webhostingserver.nl 83195 forpsi.com 82952 forpsi.com 77300 zxcs.nl 73635 zxcs.nl 43426 protonmail.ch 42379 protonmail.ch 40528 antagonist.nl 40463 antagonist.nl 39981 active24.com 40012 active24.com 37575 webreus.nl 37765 webreus.nl 30373 pcextreme.nl 30673 pcextreme.nl 28672 xel.nl 28631 xel.nl

The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).

This month Last month ----------- ---------- 11375 TOTAL 11268 TOTAL 3553 DE, Germany 3525 DE, Germany 1894 US, United States 1889 NL, Netherlands 1886 NL, Netherlands 1866 US, United States 822 FR, France 825 FR, France 443 CZ, Czechia 444 CZ, Czechia 369 GB, United Kingdom 368 GB, United Kingdom 268 FI, Finland 264 FI, Finland 204 CA, Canada 203 CA, Canada 202 AT, Austria 198 AT, Austria 167 SE, Sweden 160 SE, Sweden 148 CH, Switzerland 149 CH, Switzerland 144 DK, Denmark 143 DK, Denmark 140 AU, Australia 141 AU, Australia 123 SG, Singapore 123 SG, Singapore 92 RU, Russia 85 PL, Poland 90 PL, Poland 84 RU, Russia 65 JP, Japan 65 JP, Japan 50 BR, Brazil 49 NO, Norway 49 NO, Norway 48 BR, Brazil 44 IT, Italy 40 IT, Italy

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:

This month Last month ---------- ---------- 8949 TOTAL 8828 TOTAL 3857 NL, Netherlands 3802 NL, Netherlands 2596 DE, Germany 2564 DE, Germany 883 US, United States 847 US, United States 363 FR, France 364 FR, France 190 GB, United Kingdom 183 GB, United Kingdom 176 CZ, Czechia 177 CZ, Czechia 111 FI, Finland 115 FI, Finland 85 CA, Canada 83 CA, Canada 72 AU, Australia 80 SE, Sweden 69 SE, Sweden 72 AU, Australia 62 CH, Switzerland 65 CH, Switzerland 50 SG, Singapore 48 SG, Singapore 48 AT, Austria 48 AT, Austria 41 JP, Japan 43 RU, Russia 30 RU, Russia 42 JP, Japan 30 RO, Romania 30 RO, Romania 27 DK, Denmark 27 DK, Denmark 25 BR, Brazil 24 NO, Norway 23 NO, Norway 19 BR, Brazil 18 UA, Ukraine 18 IE, Ireland

There are 9,398 unique zones (9,324 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 20,884 (20,191 last month). These cover 21,182 distinct MX hosts (20,488 last month, some MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's email transparency report is 1,048 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 550 are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~3.92 million DANE domains, 14,274 (14,246 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 2180 (1,796 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are:

183 smtp.domwest.net 150 mx1.systemhaus-ehst.de 139 mx2.dotxs.net 79 vps04.marcus.services 69 mx1.risse.cloud 35 mx1.mdbraber.com 32 relay.csngroep.nl 24 semark.dk 22 fsn1-c04.xemo-net.de 19 web2.sys.ccs-baumann.de

To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:

https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1,357 (1,539 last month). The top 10 name server operators with problem domains are:

This Month Last month ---------- ---------- 963 neostrada.nl 1131 neostrada.nl 93 worldnic.com 94 worldnic.com 65 ebola.cz 65 ebola.cz 39 openprovider.nl 39 openprovider.nl 14 sectigoweb.com 16 dnssrv.nl 13 register.com 15 sectigoweb.com 12 dnssrv.nl 13 register.com 9 ispapi.net 10 ispapi.net 7 vultr.com 8 resolver.domains 7 resolver.domains 8 axc.nl

If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.

Just one of the domains whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports:

mailazy.net

-- Viktor.

[0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.

[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency reports:

univie.ac.at web.de hoogenboezem-nieuwsbrieven.nl gmx.at westlotto.de huurexpert.nl vbv.at aeldresagen.dk hz.nl atmozreunion.be allbuy.dk ikdeburger.nl boozyshop.be annebrauner.dk inspirerendleven.nl triodos.be annes-atelier.dk interconnect.nl vanbreda.be australian-bodycare.dk interim-netwerk.nl cetelemnegocie.com.br avabeauty.dk jo-lyn.nl dwvmail.com.br bambustoej.dk kiesrijk.nl e-negociacao.com.br barons.dk lcrdm.nl e-renegocie.com.br bigsaver.dk liveatamsterdamsebos.nl zaaztelecom.com.br bog.dk mail-studio.nl nic.br buchcopenhagen.dk mailmore.nl registro.br camillakroeyer.dk mailon.nl activfitness-news.ch casanova.dk mailplus.nl blackout-bonusclub.ch computerworld.dk managementboek.nl gmx.ch damask.dk markteffectmail.nl hostpoint.ch danielspengetips.dk mcmta.nl infomaniak.ch danskebank.dk messen.nl migros-runnwin.ch datafordeler.dk mijndomein.nl msochrono.ch def.dk minbzk.nl open.ch densidsteflaske.dk mindef.nl protonmail.ch dfi.dk mm1.nl sherlockhomes.ch dk-hostmaster.dk nederweert.nl sms-gagnant.ch fibianet.dk netpoint.nl switch.ch foraeldresparring.dk netpointfactoring.nl simplelogin.co fvst.dk nieuwsservice-rvo.nl albourne.com gastrotools.dk nmnhevents.nl anonaddy.com globestudios.dk notbranded.nl ansigtsyogaonline.com idelig.dk noties.nl cm.com iphoneopladere.dk ns.nl collarofsweden.com kodbilen.dk nuudcare.nl colourfulrebel.com konkurspriser.dk nuwegexclusief.nl connectsb.com kystfisken.dk otys.nl danskebank.com labelking.dk ouderportaal.nl datev.com lacabra.dk overheid.nl denhaag.com lederstof.dk oxilionhosted.nl exegy.com lncrew.dk partijvoordedieren.nl fabfilter.com lysetikloster.dk partnermail.nl farmergracy.com mobilcovers.dk pipdenhaag.nl fastware-hosting.com musclehouse.dk podiumcadeaukaart.nl fromanteel-watches.com netic.dk politie.nl gmx.com nfinitybeauty.dk pp-prd.nl groed.com nimara.dk previder.nl habr.com nordd.dk prorun-mail.nl highcharts.com nota.dk quicknet.nl infomaniak.com opdagverden.dk rdw.nl ingthink.com punktum.dk rijksoverheid.nl intakt.com seniornews.dk rivm.nl itskaos.com shapeit.dk rvo.nl johnbeerens.com skjold-burne.dk sans-mail.nl joomlapolis.com smoon.dk schuurman-schoenen.nl jula.com sneakerzone.dk shampoobars.nl kabayarefashion.com stil.dk shoesme.nl kheaa.com stpt.dk sietskescholten.nl kolabnow.com strongcurves.dk sizzthebrand.nl leszexpertsfle.com thenap.dk smartwatchbanden.nl librti.com thesneakerstore.dk soclever.nl mactabeauty.com trueliving.dk sportrusten.nl mail.com venderbys.dk ssonet.nl mailzerver.com vin-huset.dk stater.nl medimeisterschaften.com vind.dk svb.nl mixx.com yuaiahaircare.dk technicus.nl mplbeauty.com tilburguniversity.edu telefoonglaasje.nl nanolearning.com just.ee thealphamen.nl nine-pine.com maarahvapood.ee toms.nl offshorecorptalk.com minuvalik.ee transip.nl one.com rik.ee triodos.nl orsys.com surveyturtle.ee truetickets.nl ottobredesign.com turunduslabor.ee tudelft.nl pieter-pot.com zone.ee uitgeverijpica.nl polyas.com myownconference.email upcmail.nl pompomlondon.com spam-filter.email uvt.nl ppcpcv.com spotler.email uwv.nl protonmail.com talentech.email vacaturesonline.nl protonvpn.com nuudcare.es vandale.nl renworkshops.com triodos.es vimexx.nl run-motion.com egu.eu vogeldagboek.nl sankakucomplex.com finesoftware.eu vunzigedeuntjes.nl scorecloud.com iaccept.eu watchbandjes-shop.nl serverclienti.com litebit.eu waternet.nl solvinity.com zone.eu werkzoeken.nl stasdock.com zonevs.eu ziggo.nl stater.com danskebank.fi zorgmail.nl stellarequipment.com handelsbanken.fi zoweg-mail.nl tcs.com metaburn.fi 8-bits.no theintercept.com raumanteatteri.fi annabellstefanussen.no thepcw.com rockdenim.fi babybanden.no thepcwholesale.com traficom.fi bergengokart.no thesmmacademy.com ac-strasbourg.fr bull-ski-kajakk.no triodos.com braceletsmartwatch.fr chillout.no tutanota.com compagnie-des-sens.fr domeneshop.no up2staff.com nuudcare.fr dressmykid.no veganallsorts.com passefranceallemagne.fr frivannsliv.no vivaldi.com privea.fr godvar.no webcruiter.com tid.gov.hk guttelus.no webmailph.com fidesz.hu handelsbanken.no win-rar.com italiamail.hu hyttefeber.no workvector.com bluebiz.info idrettenonline.no xfinity.com eurocontrol.int kashmina.no xfinityhomesecurity.com infinex.io lagerpriser.no xfinitymobile.com rootnet.io marikrogshus.no bncr.fi.cr nuudcare.it mystuff.no airbank.cz neolink.link nordicprint.no akce-incomputer.cz anonaddy.me norskgrammatikk.no balikovna.cz pm.me raskebriller.no bewooden.cz proton.me rushtrampoline.no cokoladovnajanek.cz army.mil sillysanta.no cpost.cz dla.mil smaaungene.no cro.cz health.mil spillfabrikken.no csob.cz jten.mil strikkia.no cuni.cz mail.mil atelkamera.nu dashofer.cz navy.mil fitnessnu.nu dedra.cz nga.mil goget.nu e-kondomy.cz osd.mil lenhud.nu fio.cz socom.mil aarding.org gynkrup.cz uscg.mil agirpourlenvironnement.org hypotecnibanka.cz usmc.mil debian.org innogy.cz apnic.net freebsd.org itesco.cz benjaminfulford.net fridaysforfuture.org kb.cz comcast.net gentoo.org klenotyaurum.cz ewetel.net ietf.org klubpevnehozdravi.cz ficbook.net isc.org ksporting.cz fivem.net mailbox.org manymail.cz gmx.net mailop.org mbank.cz graphistepro.net netbsd.org mfcr.cz habramail.net openssl.org mkluzkoviny.cz hr-manager.net ozlabs.org mojedatovaschranka.cz inexio.net postfix.org mrakyhracek.cz intares.net samba.org muni.cz mailanyone.net torproject.org nic.cz masterinter.net biotechnologia.com.pl o2.cz mijngezondheid.net brebank.com.pl optimail.cz mpssec.net mobily.com.sa outlet-alpine.cz procurios.net arbetsformedlingen.se p-info.cz ripe.net australian-bodycare.se poptavej.cz riseup.net bearplayshop.se pre.cz s-qrc.net bilprovningen.se rozhlas.cz soverin.net du.se scrptd.cz speedkom.net ecster.se smtp.cz t-2.net egensajt.se sparkys.cz amsterdam.nl ellevio.se stoklasa.cz amsterdamwinefestival.nl fashion-copenhagen.se tiscali.cz aquastorexl.nl handelsbanken.se vas-server.cz belastingdienst.nl hellomantle.se virusfree.cz beterspellen.nl huskvarnafolketspark.se vitalpoint.cz bewustpuur.nl koreanbeauty.se vshosting.cz bhosted.nl livlyclothing.se zafido.cz blushfashionstore.nl lnu.se zdravestravovani.cz bobo.nl lomervarde.se zonky.cz body-supplies.nl loopia.se bayern.de boekwinkeltjes.nl merchsweden.se brandenburg.de bolerolimonadewinkel.nl minmyndighetspost.se bund.de boozyshop.nl naprapatlandslaget.se bundesregierung.de box.nl nordicprint.se datev.de bruut.nl performcollection.se deutsch-franzoesischer-freundschaftspass.de burgernet.nl polisen.se dfn.de caracamilla.nl silverdotter.se ekom21.de carre.nl skatteverket.se elster.de casema.nl skolverket.se ewetel.de cbr.nl snbostader.se fau.de chello.nl soleplus.se freenet.de clubplanner.nl svenskhusman.se gmx.de degros.nl teknikdelar.se huellen-shop.de deijsvogel.nl theletter.se jpberlin.de deonlinetandarts.nl websupport.se lmu.de derooijfotografie.nl agatinsvet.sk lrz.de desan.nl fio.sk mail.de dewoningzoeker.nl kadernickyservis.sk mensa.de dictu.nl lenivakucharka.sk mpg.de digid.nl mklozkoviny.sk posteo.de dimehouse.nl rondogo.sk ruhr-uni-bochum.de dorcas.nl toptop.sk smartwatcharmbaender.de druten.nl zapardrobnych.sk stwm.de duo.nl zeit-des-wandels.tv sys4.de esuals.nl clientnews3.co.uk tu-darmstadt.de expeditionfestival.nl millieandblake.co.uk tum.de extinctionrebellion.nl nuudcare.co.uk tutanota.de ezorg.nl thewordman.co.uk uni-augsburg.de fivecityspa.nl triodos.co.uk uni-bielefeld.de haarlem.nl nuudcare.us uni-erlangen.de hobbygigant.nl quantum-services.us uni-muenchen.de home.nl ru.ac.za vicinityclo.de