opportunistic encryption

Google e-mail SMTP encryption stats

Google has joined Facebook among companies that publish their stats about SMTP connections.

The nice thing about Google data is that you can check statistics about specific email provider or domain.

Opportunistic encryption in SMTP is here (mostly)

Facebook published their outgoing SMTP stats on 13th of May. The situation is much better than what we previously thought.

Few high points:

  • 76% of hosts that Facebook contacted to send email support STARTTLS and correctly negotiated secure connection
  • 56% of outgoing email gets encrypted using TLS
  • out of encrypted email, over 98% used Perfect Forward Secrecy

The bad:

  • only 25% of domains have matching, trusted and still valid certificates
  • this falls down to 6.6% for unique MX hosts
  • and includes 59.6% of all mail
  • nearly 50% of email was transferred using the possibly passively-crackable RC4 cipher
  • the same issue affects close to 20% of domains

In summary, it looks like we are on very good road for strict certificate checking using DANE in SMTP.