Introduction

As part of SecMX, the E-government project team wanted to establish a baseline for the number of TLS (Transport Layer Security) enabled mail servers.  Given that the first aim of SecMX is to increase the number of TLS enabled mail exchangers (also known as “MX”s), monitoring this value for a given set of domains would show the long-term success (or otherwise) of SecMX within New Zealand.

From the outset it was important to consider the New Zealand domain space as a whole, but also to consider the ISPs separately.  This is because each ISP is highly likely to host more than one domain and a single ISP enabling TLS could affect a large number of the domains and therefore the overall results.

Setup

The team first obtained a subset list of New Zealand domains from our own organisation's MX (Mail eXchanger).   It assumed this list was representative of the New Zealand domain space because it represents those domains to which mail was sent (or received) from our organisation over a number of months.  A quick examination of the list showed a good sample of the New Zealand domain space (e.g. companies, government, universities, schools, towns, ISPs, auction sites and event facilities).

This list contained approximately 4000 domains and should be considered a subset of the New Zealand domain space.  This list is called the “New Zealand domain list”.  We then established a second list of New Zealand domains from the first by removing all those that were not an ISP or hosting provider. This second list is known as the “New Zealand ISP domain list”.

A custom Perl program (tlscheck) is used to read the domain lists, and for each domain, find a list of MXs. This ensures that redundant domains or changes to domains do not affect the results. The program then generates a unique list of MXs and tests each one for TLS capability (by querying each MX’s capability list). 

Results

The results below are split into 5 columns:

• The Domains column contains the total number of domains in the list.
• The MXs column contains the total number of MXs that were found by querying each domain.
• The Unique MXs column contains the total number of unique MXs in the MXs column. Since MXs are frequently shared, it makes sense to remove duplicates and only examine each individual MX once.
• The TLS enabled column contains the number of MXs from the Unique MXs column that had TLS enabled.
• The Percentage column contains the percentage of Unique MXs that had TLS enabled.

New Zealand domain list

The following results are based on the large “New Zealand domain list”.

This list contains approximately 4000 New Zealand domains.  This list is made up of a large variety of different types of organisations.

New Zealand ISP domain list

The following results are based on the small “New Zealand ISP domain list”.

This list contains about 120 domains and consists of only ISPs and hosting providers.  The team maintains this separate set of results because it is useful to know how the ISPs are faring, especially given that any ISP implementing TLS could have a large effect on the results above.

Notes

It should be noted that although these results are for New Zealand domains, some companies operate international MXs and hence results could be a little skewed.  However, the team don’t believe this is a serious issue since those MXs are effectively servicing New Zealand and could therefore be considered part of the New Zealand domain space.

It is interesting to note that articles internationally have suggested the figure for TLS capability of MXs is also approximately 10%.  This is a good match for the New Zealand domain list result.  This suggests that TLS capability in the New Zealand domain is at least as good as the Internet in general.

• Check if your email server has TLS enabled, using the SecMX Tool.