[Top] [All Lists]

Re: [ietf-smtp] DANE penetration for MTA/MTA interactions

2021-03-24 16:12:52
On Wed, Mar 24, 2021 at 09:50:15AM -0700, Dave Crocker wrote:

DANE has been around for a long time.  I'm curious how much actual use 
it gets for email transport.

I think "long time" is an overstatement, because even with the
specification published in October 2015, it took some years for
implementations in Postfix, Exim, etc. to be shipped, and integrated
into stable OS releases.  It then takes some more years for users to
upgrade to these OS releases, and to choose to enable DANE, which is not
presently enabled by default.

So we're still in the early adoption stages.  It takes a decade or two
for infrastructure technologies to make major transitions.

There is still a non-trivial fraction of MTAs that don't even do

See the table at the bottom of the page, showing mostly cleartext
traffic to Gmail from,,, ...

Is there any sort of subjective or objective assessment of percent of 
sites or traffic using it?

Not just DANE records published, but DANE /use/.

At this point, I rather expect that there's still a lot of variability
by user demographics.  In Northern Europe there are likely users for
whom a non-trivial fraction of their correspondents are on systems with
bidirectional DANE.

Some of the folks to ask would be,,,, and, who I believe all have DANE enabled in
both directions, and should have some stats on outbound numbers from a
geographic region where there's more than one provider doing DANE.

In the USA, since the only major provider with DANE is Comcast users
communicating with non-Comcast correspondents (who are not mostly
posting on IETF lists, ...) are likely to not run into much DANE
support at present.

We're still in the early ramp up phase, with DNSSEC enabled for just
2.28% of .COM vs. 56.1% of .NL.  That said, growth is picking up, and
there are some indications that some large players in the USA might
soon start signing at a much greater rate than before.

So taking the long view, I see the current 2.56 million DANE-enabled
domains as good progress to date, making almost 18% of 14.4 million
DNSSEC domains signed.

My personal MTA has logged 131 DANE verified connections out of 511
that used STARTTLS, but this is of course not surprising:



ietf-smtp mailing list