I just added a CAA record for letsencyrpt.org to my DNS. So now I have SPF, DKIM, DMARC, DNSSEC, and CAA as security entries for phasedoor.com. That’s probably also the order of most common to least common among the various domains from what I gather. It’s a little surprising they’re not all very commonly used in 2022. Checking Qualys it looks like 12.8% are using CAA records as of July 2. DNSSEC is more complex to implement, but according to APNIC it looks like its adoption rate is between 30 and 40% worldwide currently.

I tried to look up the adoption rates for the other records. One of these seemed fishy.

That DKIM stat looked suspiciously low. I looked at the list of sites that builtwith had gathered and chose to look at the TXT records for manage.com (easy to type).

dig manage.com TXT +noall +answer

manage.com.             173     IN      TXT     "v=spf1 mx ptr ip4:208.70.150.184/29 include:_spf.google.com include:mktomail.com include:spf.mandrillapp.com"
manage.com.             173     IN      TXT     "v=DKIM1; k=rsa; p=MIGfMA..."

Yeah, that’s not configured right. The second entry containing the v=DKIM1; should start with selector._domainkey, not manage.com. There’s not really a way to know what that selector is without getting an email from a DKIM-enabled domain. So manage.com may have DKIM enabled correctly in a different TXT record, but builtwith only knows about this errant TXT record.

I’m going to assume DKIM adoption is probably about the same rate as DMARC. While you can set up DMARC without DKIM (using only SPF), your recipients could have any email they forward from you get rejected as spam. Most zone admins that implement DMARC probably realize this and would likely implement DKIM.


Next post: Heat wave

Previous post: Mutt is a good boy