Summary: The total domain count is now 185948. Approximately 6500 of the ~10000 new domains result from processing a new source for some additional .no and .nl domain nanes.

The number DNSSEC domains in the survey stands at 5382667, thus DANE TLSA is deployed on 3.45% of domains with DNSSEC. Many DNSSEC domains use third-party MX hosts, that don't have DNSSEC, so they can't benefit from DANE until their providers secure the MX hosts. Please ask your provider to enable DNSSEC and DANE on their MX hosts. [ It would be especially significant if "redirect.ovh.net" were to implement DNSSEC+DANE. If someone personally knows the right people to gently nudge at ovh.net, please do. ]

As of today I count 185948 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are:

73807 domeneshop.no 65101 transip.nl 19168 udmedia.de 6177 bhosted.nl 1807 nederhost.nl 1228 yourdomainprovider.net 867 ec-elements.com 748 surfmailfilter.nl 542 core-networks.de 438 omc-mail.de

The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 10 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented):

1289 DE, Germany 830 US, United States 457 NL, Netherlands 338 FR, France 164 GB, United Kingdom 109 CZ, Czech Republic 80 CA, Canada 59 SE, Sweden 58 CH, Switzerland 50 BR, Brazil

IPv6 is still comparatively rare for MX hosts, and the top 10 countries by DANE MX host IPv6 GeoIP are (same top 6).

710 DE, Germany 407 US, United States 255 NL, Netherlands 195 FR, France 102 GB, United Kingdom 58 CZ, Czech Republic 33 SE, Sweden 25 CH, Switzerland 23 SG, Singapore 14 SI, Slovenia

There are 3372 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.

The number of published MX host TLSA RRsets found is 4544. These cover 4834 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). [ Previous reports inadvertently included some "orphan" MX hosts in the database, that are no longer tied to any domains, these are no longer reported, so the numbers are somewhat smaller this month. Without the correction, the numbers would have been 5485 and 5795. ]

The number of domains that at some point were listed in Gmail's email transparency report is 131 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 72 are in recent reports:

gmx.at posteo.de pathe.nl travelbirdbelgique.be ruhr-uni-bochum.de politie.nl nic.br tum.de uvt.nl registro.br uni-erlangen.de xs4all.nl gmx.ch unitybox.de domeneshop.no open.ch unitymedia.de handelsbanken.no anubisnetworks.com web.de webcruitermail.no gmx.com dk-hostmaster.dk aegee.org isavedialogue.com egmontpublishing.dk debian.org mail.com tilburguniversity.edu freebsd.org solvinity.com insee.fr gentoo.org trashmail.com octopuce.fr ietf.org xfinity.com comcast.net isc.org xfinityhomesecurity.com dd24.net netbsd.org xfinitymobile.com dns-oarc.net openssl.org bayern.de gmx.net samba.org bund.de hr-manager.net torproject.org elster.de mpssec.net asf.com.pt fau.de t-2.net handelsbanken.se freenet.de xs4all.net minmyndighetspost.se gmx.de bhosted.nl skatteverket.se jpberlin.de boozyshop.nl t-2.si lrz.de ouderportaal.nl mail.co.uk mail.de overheid.nl govtrack.us

Of the ~186000 domains, 1500 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 202. Some of these also have MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. Below is the list of underlying MX hosts that serve these domains and whose TLSA records don't match reality:

Hall of Shame:

88oddil.cz mail.itconnect.ro mx1.em54.net andbraiz.com mail.itsmine.com mx1.em56.net andersonvasconcelos.com.br mail.labbrack.se mx1.email.youwerehere.info anubis.delphij.net mail.lavabit.no mx2.aquasoft.cz bounder.steelyard.nl mail.lsd.is mx2.em54.net coolmx.net-art.cz mail.mxdove.com mx2.em56.net demo.liveconfig.com mail.myzt.nl mx2.email.youwerehere.info diablo.sgt.com mail.netistan.ch mx2.mindrun.de din.mta.din.cz mail.nonoserver.info mx2.pfp.de eufront.stansoft.bg mail.olgui.net petg.cz eumembers.stansoft.bg mail.pasion.ro pinus.dafcorp.net gaia.nfx.cz mail.rapidfuse.io plesk2.acknowledge.nl gamepixel.eu mail.rostit.se pop.co.za goldcars.mta.din.cz mail.scrz44.de rootbox.me gsmapp.com.br mail.seslost.cz sat-an--net.mta.din.cz homer.jpbe.de mail.victorycity.com.hk servmail.fr intranet.nctechcenter.com mail.voorschoten.nl smtp-1.httrack.com itaskmanager.ovh mail.wassenaar.nl smtp.bl.lybre.net kou--li.mta.din.cz mail.werkorganisatieduivenvoorde.nl smtp.klam.com ma.qbitnet.com mail.wodv.nl smtp.sauron-mordor.net mail.3c7.de mail.zionbit.cz smtp1.lococensus.nl mail.abanto-zierbena.org mail.zx.com smtp2.lococensus.nl mail.all4.de mail2.subse.eu solventtruck.mta.din.cz mail.allq.cz mail2.victorycity.com.hk stmics01.smia-automotive.com mail.bacrau.ro mailb.kamadu.eu stmics02.smia-automotive.com mail.castleturing.net maxhunter.com.br tusk.sgt.com mail.davidbodnar.cz milhouse.jpbe.de vm-1.eveng.de mail.digitalwebpros.com mminetto.com.br vps.du.ie mail.diplomatic.email mx.bels.cz wantuz.shannara.ru mail.dnsmadefree.com mx.datenknoten.me webmail.headsite.se mail.efflam.net mx.itconnect.ro webmail.kassoft.eu mail.familie-sander.rocks mx.mail.klinknetz.de webmail.vivisol.nl mail.fscker.nl mx.promail.saarland wizard.itsmine.com mail.i-bible.com mx01.qusign.net www.mtg.de

Please make sure to monitor the validity of your TLSA records, and implement a reliable key rotation procedure. See:

https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3

http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email of any kind, the number of "real" email domains with bad DNSSEC support stands at 104. The top 10 name server operators with problem domains are:

8 psb1.org 7 tse.jus.br 7 active24.cz 6 tiscomhosting.nl 5 nazwa.pl 5 metaregistrar.nl 4 ignum.com 4 glbns.com 4 army.mil 4 1cocomo.com

Only one domain all whose nameservers have broken denial of existsnce appears in historical Google reports:

http://dnsviz.net/d/_25._tcp.mx1.harsh.monkeybrains.net/WsEoNQ/dnssec/ http://dnsviz.net/d/_25._tcp.mx2.harsh.monkeybrains.net/WsEiKA/dnssec/

the monkeybrains.net SOA record is likely modified *after* the zone is signed, making negative replies "bogus".