At this point, for mail sending, Gmail does not support DANE, though we do support STS and TLSRPT. I imagine DANE is somewhere on their TODO list, but couldn't give any time frame for that.
It is supported by a bunch of European ISPs, as well as Comcast.
More generally, in Europe several countries (usually the same that have been pushing the adoption of DNSSEC) are now pushing the adoption of DANE for email, to increase email transport security. Some governments have added DANE to the technologies recommended or required for network security. Some European ccTLDs even give you a discount on registrations if you deploy DNSSEC and DANE on the domain.
Viktor Dukhovni, one of the authors of the RFCs, maintains stats; this is the last one, that also gives you an idea of the geographical distribution:
> As of today I count 1,185,097 domains with correct SMTP DANE TLSA
> records at every primary MX host that accepts connections[1]. As
> expected, the bulk of the DANE domains are hosted by the DNS/email
> hosting providers who've enabled DANE support for the customer
> domains they host. The top 20 MX host providers by domain count
> are:
>
> 710477 one.com
> 126697 transip.nl
> 97776 domeneshop.no
> 36407 active24.com
> 32344 vevida.com
> 27345 web4u.cz
> 24153 udmedia.de
> 15734 flexfilter.nl
> 13127 zxcs.nl
> 13003 onebit.cz
> 11082 bhosted.nl
> 6024 netzone.ch
> 5644 previder.nl
> 3768 ips.nl
> 3393 interconnect.nl
> 2574 provalue.nl
> 2277 nederhost.nl
> 1694 nmugroup.com
> 1573 yourdomainprovider.net
> 1322 hi7.de
> records at every primary MX host that accepts connections[1]. As
> expected, the bulk of the DANE domains are hosted by the DNS/email
> hosting providers who've enabled DANE support for the customer
> domains they host. The top 20 MX host providers by domain count
> are:
>
> 710477 one.com
> 126697 transip.nl
> 97776 domeneshop.no
> 36407 active24.com
> 32344 vevida.com
> 27345 web4u.cz
> 24153 udmedia.de
> 15734 flexfilter.nl
> 13127 zxcs.nl
> 13003 onebit.cz
> 11082 bhosted.nl
> 6024 netzone.ch
> 5644 previder.nl
> 3768 ips.nl
> 3393 interconnect.nl
> 2574 provalue.nl
> 2277 nederhost.nl
> 1694 nmugroup.com
> 1573 yourdomainprovider.net
> 1322 hi7.de
This is a list of email hosters by domains count, but in terms of email providers, the three big ones supporting DANE are Comcast, GMX and Web.de. It would be nice if Gmail deployed it, and given their leadership in promoting email transport encryption it is really hard to understand why they haven't, so I'm happy to read that at least it's in their roadmap.
Anyway, at least turning on DANE validation on outgoing email, as a courtesy to the destination domains that bothered to set up the TLSA records and tell the world that they do not want to receive email in clear any more, should be done by everyone as far as possible. It is supported by most MTAs now, it just requires a configuration change and a DNSSEC-validating resolver.
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bert...@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
