While I already linked to the Qualys scanner of SSL servers, it actually is limited to HTTPS servers only.
Facebook published their outgoing SMTP stats on 13th of May. The situation is much better than what we previously thought.
Few high points:
- 76% of hosts that Facebook contacted to send email support STARTTLS and correctly negotiated secure connection
- 56% of outgoing email gets encrypted using TLS
- out of encrypted email, over 98% used Perfect Forward Secrecy
- only 25% of domains have matching, trusted and still valid certificates
- this falls down to 6.6% for unique MX hosts
- and includes 59.6% of all mail
- nearly 50% of email was transferred using the possibly passively-crackable RC4 cipher
- the same issue affects close to 20% of domains
In summary, it looks like we are on very good road for strict certificate checking using DANE in SMTP.