Month two of measuring DMARC, MTA-STS, DANE, and BIMI across the top 1M domains. DANE adoption fell, and it came down to a single provider.
Last month I posted the baseline for this: a monthly measurement of how the top million domains actually deploy the four standards-track email-security protocols, DMARC, MTA-STS, DANE-for-SMTP, and BIMI. This is month two, so for the first time there are month-over-month deltas. I expected the change to be the interesting part. It was, in a way I didn't predict.
DANE was the only one of the four that went down. And it wasn't operators giving up on it. One provider, Migadu, removed the TLSA records for its entire customer fleet sometime in June. Around 500 domains that had DANE in June don't in July, still pointing at the same Migadu MX hosts, just with the TLSA records gone. Nobody on those domains touched a thing, and I doubt most of them know. Take Migadu out of the numbers and DANE grew like the rest.
That turned out to be the theme of the whole month: email security moves in provider-sized blocks, not one domain at a time. ALDI Süd switched on MTA-STS for eleven of its country domains in what was clearly one change. Of the 488 domains that gained DANE, 466 got it just by moving to a mail host that publishes it by default, mostly Cloudflare Email Routing. My favorite piece of that: about 60 of those domains are low-effort throwaways that clearly never gave email security a thought, and they picked up DANE the moment they switched hosts. The provider decided, not them.
The month-over-month changes, counting only domains present in both months (more on why in a second):
DMARC valid records: +2,282, and domains tightening their policy outnumbered those loosening it 2,488 to 567
DANE: down 249 as measured, but +258 once you remove the Migadu deletions
BIMI: +346
MTA-STS valid policy: +163, with 76 domains graduating from testing to enforce against 10 going the other way
On method, because the obvious objection to a monthly top-1M study is that the list itself churns: it does, about a quarter of it turns over every month. So I only compare domains that appear in both months. I also checked whether "leaving the list" means a domain actually changed something, and it doesn't. 48,000 domains dropped off the list in June and came back in July, and 98.5% of them had the exact same mail provider across the gap. Leaving the top 1M is a popularity-ranking dip, not a provider migration. Everything else from last month still holds: unfiltered resolvers only, a second resolver in a different region has to agree before anything is recorded, and the run is paced so we never throttle anyone.
One number I keep chewing on. If the current pace held, DMARC would reach nearly every domain by the early 2030s, while the two protocols that actually secure the connection between mail servers, MTA-STS and DANE, stay on a track that runs into the 2040s and beyond. Authenticating who sent the mail is on its way to universal. Protecting how it travels is more than a decade behind it. Real adoption curves flatten near the top so I wouldn't bet on the exact years, but the gap between the two is the thing worth watching.
Happy to get into the method, that's usually where these threads go. I run an email infrastructure company and this is our own research.