On Sat, Jul 04, 2020 at 05:45:18PM -0400, Viktor Dukhovni wrote:
> On Sat, Jul 04, 2020 at 04:35:01PM -0400, Matt Corallo wrote:
>
> > Right, I figured they were from your stats, but figured I'd ask since
> > I never saw any MTA-STS data on your site :)
>
> We don't presently track MTA-STS numbers. They're easy enough to collect
> on an ad-hoc basis. Speaking of which, looking beyond the existence of
> the DNS TXT record, fetching the actual policy URLs (slowly, serially),
> I see that many are not yet in "enforce" mode. Out of the policies
> retrieved so far:
>
> 643 enforce
> 518 testing
> 1 none
With all 2050 checked, only 1843 actually serve a policy at the
associated well-known URL (leaving 243 with no working HTTPS access to
the policy file). Of the 1843 that are reachable the policy frequencies
are:
1005 enforce
837 testing
1 none
Of the 1005 with reachable "enforce" policies, 31 send or receive enough
mail to appear in Google's email transparency reports.
clubedohardware.com.br
protonmail.ch
altospam.com
anubisnetworks.com
comeseetv.com
gmx.com
mail.com
metafaq.com
protonmail.com
startmail.com
xfinity.com
mail.de
mensa.de
posteo.de
tu-chemnitz.de
web.de
comcast.net
gmx.net
riseup.net
belastingdienst.nl
hr.nl
hro.nl
kingsquare.nl
mm1.nl
domeneshop.no
aegee.org
mailbox.org
samba.org
handelsbanken.se
salford.gov.uk
govtrack.us
For most senders, these are the only domains you're likely to run into
that do both DANE and MTA-STS.
Another approach you might take is to only do MTA-STS for a small number
of MTA-STS-only domains. Mostly just gmail.com, since both yahoo.com
and outlook.com are presently "testing", but perhaps a few others that
you happen to correspond with.
--
Viktor.
