Facebook published their outgoing SMTP stats on 13th of May. The situation is much better than what we previously thought.
Few high points:
- 76% of hosts that Facebook contacted to send email support STARTTLS and correctly negotiated secure connection
- 56% of outgoing email gets encrypted using TLS
- out of encrypted email, over 98% used Perfect Forward Secrecy
- only 25% of domains have matching, trusted and still valid certificates
- this falls down to 6.6% for unique MX hosts
- and includes 59.6% of all mail
- nearly 50% of email was transferred using the possibly passively-crackable RC4 cipher
- the same issue affects close to 20% of domains
In summary, it looks like we are on very good road for strict certificate checking using DANE in SMTP.