Three signals of modern email-receiving infrastructure across the Tranco top-1M: IPv6 on MX (can the receiver be reached over v6?), DANE/TLSA (does the receiver pin its TLS certificate via DNS?), and CAA on apex (which CAs is this domain willing to trust?). Scan date: 2026-07-13 · 654,213 domains with MX · 369,789 unique MX hostnames.
A domain is IPv6-ready receiving if at least one of its MX hostnames has an
AAAA record. The Tranco scan only probes the apex for AAAA, so the
headline KPI below is computed over the self-hosted slice where
mx_host == apex (the ~5%
of domains running their own mail).
| TLD | Region | Self-hosted | v6-ready | % |
|---|---|---|---|---|
| .org | Global | 1,026 | 73 | 7.12% |
| .com.br | Brazil | 686 | 37 | 5.39% |
| .net | Global | 2,706 | 131 | 4.84% |
| .com | Global / US-skewed | 14,228 | 636 | 4.47% |
| .pl | Poland | 584 | 20 | 3.42% |
| .ro | Other | 504 | 13 | 2.58% |
| .jp | Japan | 1,078 | 24 | 2.23% |
| Provider | Domains | MX hosts (v6 / probed) | Status |
|---|---|---|---|
| Generic / unmatched (mx*.*) | 28,472 | 4 / 4 | 100.0% of probed hosts |
| Hostinger | 7,899 | 1 / 1 | 100.0% of probed hosts |
| Unknown / Other | 107,666 | 1,567 / 1,580 | 99.2% of probed hosts |
| Google Workspace | 143,651 | 26 / 28 | 92.9% of probed hosts |
| Generic / unmatched (mail.*) | 85,538 | 18 / 22 | 81.8% of probed hosts |
| Microsoft 365 | 109,307 | 4 / 6 | 66.7% of probed hosts |
| Mimecast | 9,830 | 0 / 1 | 0.0% of probed hosts |
| Proofpoint | 12,125 | 0 / 0 | n/a — MX not probed |
| Yandex 360 | 10,636 | 0 / 0 | n/a — MX not probed |
| Cloudflare Email Routing | 10,531 | 0 / 0 | n/a — MX not probed |
Provider attribution: each domain assigned to its lexically-first MX host →
matched against dictionaries/mx_providers.py. "n/a" means
the scan did not probe that provider's inbound MX hostnames for AAAA;
a Forward-DNS Infrastructure scan would fill this in.
DANE pins the receiving SMTP server's TLS certificate via a TLSA record at
_25._tcp.<mx_host>. Adoption is rare globally
(~0.5%) but high in .de, .se, .nl,
.cz due to host-side defaults and mandates.
Reference: 369,789 unique MX hostnames observed today.
A separate TLSA probe per MX host (port 25 / TCP) would be required to compute
adoption — historically concentrated in .de, .se,
.nl, .cz; global average ≈ 0.5%.
CAA records list the Certificate Authorities a domain is willing to trust.
A modern security-conscious config has an issue tag and explicitly
denies wildcard issuance (issuewild ";").
| CA | Domains | % of CAA-domains |
|---|---|---|
| letsencrypt.org | 44,376 | 84.77% |
| digicert.com | 32,677 | 62.42% |
| pki.goog | 29,073 | 55.54% |
| comodoca.com | 25,598 | 48.90% |
| ssl.com | 23,793 | 45.45% |
| sectigo.com | 10,194 | 19.47% |
| amazon.com | 9,642 | 18.42% |
| globalsign.com | 6,736 | 12.87% |
| amazonaws.com | 4,468 | 8.54% |
| amazontrust.com | 3,962 | 7.57% |
| awstrust.com | 3,496 | 6.68% |
| godaddy.com | 2,808 | 5.36% |
| harica.gr | 1,135 | 2.17% |
| certum.pl | 981 | 1.87% |
| entrust.net | 795 | 1.52% |
CA values are normalised lower-case, parameters after ; stripped. The
deny-all (";") bucket = explicit issuance ban (no CA may issue).
Source: OpenINTEL forward-DNS Tranco-top-1M snapshot (2026-07-13).
Generated by infrastructure_page.py; raw JSON:
infrastructure.json.