Growth of DANE security for mail slows down

Netherlands leads the way on DANE adoption

Red colored envelope icon on a screen

Over the last three years, the use of DANE for mail has taken off. The main driver has been the addition of support for the security protocol to the leading mail server software packages. This year, however, we've observed a worrying slowdown in the rate of growth. Because of our pioneering work with DNSSEC – which must be enabled for DANE to function – the .nl and other domain names hosted by Dutch service providers account for the majority of DANE-secured mail domains. And, with nearly 700,000 DANE-secured domains, the .nl zone is the world's number one TLD for DANE support.

Number of domain names

Hosting providers' name

1,219,025

one.com

152,732

TransIP

150,806

Argeweb

148,860

Infomaniak

117,833

Hostpoint

Table 1: Top five hosting providers for DANE-enabled domain names. Source: Viktor Dukhovni, September 2021.

Number of domain name

Top level domain

699,702

.nl

410,927

.com

331,972

.se

228,733

.dk

137,370

.no

133,715

.be

132,688

.de

126,812

.cz

95,068

.ch

78,216

.eu

75,666

.uk

39,681

.net

Table 2: Top twelve top-level domains for DANE-enabled domain names. Source: Viktor Dukhovni, August 2021.

Latest statistics

According to the latest statistics on DNSSEC-Tools, 2.8 million mail domains are currently DANE-enabled (as of September 2021). That's roughly 17 per cent of the 16.2 million domains with DNSSEC-signed MX records – significantly up on the 11.5 per cent of two years ago. Increasing use is clearly being made of previous investments in DNSSEC.

DNSSECtools-domainsDANEmail-20210909
DNSSECtools-domainsDS-20210909

Although our own DANE statistics for the .nl zone are compiled in a slightly different way than the DNSSEC-Tools data, they tell a similar story: that growth has plateaued (and even turned into a slight decline).

Line graph showing the evolution of the number of .nl domain names with DANE configured for email

Rapid slowdown in growth

We had previously seen exponential growth in the number of DANE-secured mail domains, accompanied by a linear increase in the number of domains that published DANE (TLSA) records for their own MX gateways. That suggests that the growth was mainly down to big mail service providers bulk-enabling DANE on the domains they hosted. However, the growth of those numbers has also tailed off rapidly over the last year.

DNSSECtools-zonesDANE-20210909

Possible causes

One possible explanation for the phenomena described above is that the big mail service providers have now enabled DANE on their MX gateways, while smaller operators have difficulty implementing DANE. Although we offer financial incentives to all .nl registrars that adopt DANE for mail, the economic case for adoption is strongest for those with large domain name portfolios. Another possibility is that the pandemic has affected uptake of DANE. For many organisations, the priority was suddenly making business networks accessible to people working from home. Less personal contact may also have led to fewer new projects getting off the ground.

Help with DANE and DNSSEC implementation

For anyone interested in securing mail domains with DANE, we've published detailed advice on configuring DANE for both Postfix and Exim. If you need to set up DNSSEC first, we also provide a series of hands-on articles for the most popular DNS servers.