> On Apr 11, 2018, at 11:40 AM, ned+ietf@xxxxxxxxxxxxxxxxx wrote: > >> For reference, the XMPP community has a high penetration of DANE records >> (around 10% of the self-selected group who test their servers through >> community tooling) and a very high penetration of CA-signed certificates >> (mostly Let's Encrypt). > > There's no comparable uptake of DANE in email and IMO there's little if > any prospect of that changing in the immediate future. There are at least 205,000 domains whose MX hosts have TLSA records. I expect around another 300k domains (hosted by a provider that's in the process of adding support) in the next month or two. Among the existing adopters are: * web.de / gmx.de with millions of users * comcast.net with millions of users * posteo.de and mailbox.org with customers who want email security * domeneshop.no and transip.nl hosting over ~150k customer domains. Postfix and Exim have DANE support as do MailChannels and Halon. Cisco just announced DANE support in the Beta of the next release of SMTP for their SMTP gateway (formerly IronPort). So if your "immediate future" horizon is ~6 months, then sure, adoption will remain light on *that* timescale, but there's a good chance of much broader support in 2019/2020, perhaps even by more of the same providers behind STS. -- Viktor.
