Sending Email via IPv6: A Survey

Posted by Franck Martin on 2009/09/14 Leave a comment (11) Go to comments

The state of IPv6 deployment

While IPv6 deployments are still anecdotal, there is a steady effort aimed at increasing adoption. The drive towards IPv6 is primarily fueled by the estimation that we will run out of IPv4 addresses around 2011. Several organizations are offering counters of when the dwindling supply of IPv4 addresses allocated to Regional Internet Registries (RIR) by the Internet Assigned Numbers Authority (IANA) will be exhausted. One tool is provided by Hurricane Electric (http://ipv6.he.net/statistics/). You see:

  • Number of IPv4 addresses left
  • Number of blocks of IPv4 addresses still not assigned to a RIR
  • Number of Autonomous System Numbers (ASN) that run IPv6 (the size of the IPv6 Internet backbone)
  • Number of Top Level Domains (TLD) that are operating on IPv6
  • Number of domains that are IPv6 (I would say the number of web sites reachable via IPv6 out of the 10 millions top web sites as per Alexa)

Email and IPv6

But what about email? How many servers can receive email via IPv6? We took a sample of 500,000 domains. Unfortunately we cannot use the list from Alexa as they are web sites and not domains with mail servers. Instead, we sampled 500,000 email domains known to Genius.com and went to look for their MX records. For each MX record we checked if the host has an AAAA record (reachable via IPv6).

We used the simple program below against a csv file of domains:

<?php
$file=$argv[1];
$f=fopen($file,"r");
$buffer = fgets($f, 4096);
$i=1;
while (!feof($f)) {
    $buffer = fgets($f, 4096);
    $domain=substr($buffer,1,-2);
    echo $i."|".$domain."|";
 
    //look for MX record
    $mxhosts=array();
    $foundMX=getmxrr($domain,&amp;$mxhosts);
    if ($foundMX) {
        //loop through MX records
        $ipv6=false;
        foreach($mxhosts as $host) {
            if (checkdnsrr($host,"AAAA")) {
                $ipv6=true;
                break;
            }
        }
        if ($ipv6) {
            echo "IPv6";
        } else {
            echo "IPv4";
        }
    } else {
        echo "No MX found";
    }
    echo "\n";
    $i++;
}
fclose($f);
?>

Our results shows that 1.895% of the sampled domains have one or more MX records with at least one host on IPv6.

There are about 120 Millions domains registered under a generic Top Level Domains (gTLD), which are not registered with a country code Top Level Domains (ccTLD), as per RegistrarStats. We can expect the same amount for ccTLD domains, although it is difficult to assess as no ccTLD is required to provide statistics. A sampling of 500,000 domains is short, but fair. We know that all these domains are linked to email addresses.

How does it compare with web sites on IPv6? As per the stats of Hurricane Electric, there are 1.5 Millions web sites which are available via IPv6. On the Top 500 websites on Alexa, Hurricane Electric indicates 0.2% are available via IPv6.

It seems the deployment of IPv6 for email seems slightly better than for the web. Perhaps because with several MX per domains, it is easier to have at least one host on IPv6.

  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Twitter
  • Google Bookmarks
  • DZone
  • HackerNews
  • LinkedIn
  • Reddit
Deliverability, , ,
  • http://www.personal.psu.edu/dvm105/blogs/ipv6 Derek Morr

    That figure corresponds with what I’ve seen inside Internet2. Of the approximately 300 Internet2 members, only 6 have an MX record with at least one AAAA record:

    3rox.net
    hpcnet.org
    kanren.net
    ucla.edu
    umaine.edu
    vt.edu

    That’s 1.97%, which is essentially the same as what you found.

  • Dan Wing

    You should also try connecting via IPv6 and doing at least a HELO to verify their IPv6 host is listening. With Alexa’s list I found some IPv6 addresses are IPv4-mapped (::ffff:1.2.3.4) which, if this is also done with MX records, should be excluded from the IPv6 count.

    As for why you’re seeing more MX hosts with IPv6 than web hosts: I expect it’s because the user experience is not harmed by a mailer listening on IPv6 and advertising an AAAA. However, as Google’s experience has demonstrated, the user experience can be harmed by advertising an AAAA to the world for a website (due to 6to4 and Teredo which can cause a worse-than-IPv4 user experience).

    • Franck Martin

      These are good suggestions, thanks. I’ll try it when I run this test again.

      Yes, no DNSBL, or internal IP based reputation system is geared for handling spam over IPv6, unless may be if we go for domain based reputation using DKIM.

      I wonder if blocking email over IPv6 which does not contain a DKIM header is not the solution…

      • Dan Wing

        Spammers were the first to start DKIM signing their email. Same would be true on IPv6, so simple blocking of non-DKIM-signed mail would need to be combined with the reputation of that /64, under the assumption that the ISP really handed out a /64. Blocking non-DKIM-signed mail delivered over IPv6 would have another drawback, too: enabling outbound IPv6 would cause rejection or non-delivery of email; the workaround to that would be turn off IPv6 (rather than your desired outcome, which would be for the outbound IPv6 mailer to start DKIM signing the messages).

        • Franck Martin

          I don’t see if we have DKIM why we would necessarily need to bring the IPv6 address reputation.

          The choice is between a bit of added security vs. no IPv6,…hmmm…

    • Douglas Otis

      While DKIM offers a domain cryptographically signing a portion of the message, DKIM excludes intended destinations. DKIM happens after the exchange, and can not establish reputations based upon undesired email alone. A cryptographic method to verify the sending server, perhaps via the EHLO, is needed for either v4 or v6. Perhaps keyassure will provide the resource needed.

  • Dan Wing

    Some day, DKIM will get over the hump and a big domain will refuse to accept non-DKIM-signed messages. That will effectively create a flag day. I hope that day comes soon.

  • http://www.kanren.net Brad Fleming

    In the case of kanren.net, all of our primary public services listen on IPv6. So you can send us email, browse our website, perform name lookups, etc all over native IPv6 transport.

    We still have some limitations regarding our anti-spam solution vendor; however, everything seems to be pretty able.

    Currently our only IPv6 connection is via Internet2 / GPN so if you don’t have connectivity to one of those networks, you won’t see us… yet! :D

  • http://www.mirbsd.org/ mirabilos

    Our mail servers listen on IPv6 too and are entered with IPv6 addresses
    as well. Funnily enough, I’m greylisting on IPv4 but not on IPv6, no blacklists
    because they’re often wrong (e.g. when one provider switches a subnet from
    dial-up to static IPv4, as mine did, it does NOT get reflected) and failure reason,
    yet I have yet to get more than about one spam mail per month on IPv6, whereas
    there are still several per day on IPv4 (used to be a hundred or so per day, before
    greylisting).

    DKIM? Nope. I don’t even know if sendmail could do it out of the box. But I don’t
    see a reason for it. In fact, I *have* seen signed (with differing standards) spam.

  • http://altmode.wordpress.com Jim Fenton

    After recently getting IPv6 connectivity to my home mail server, I thought I’d try connecting to port 25 with IPv6. I was surprised to find that even though the Linux I’m using (Fedora 10) comes configured to do IPv6 by default, Sendmail requires recompilation in order to enable IPv6. That’s a bit of a barrier to deployment. Echoing Dan’s comment above, I wonder how many of the domains publishing AAAA records for their MX hosts have actually tested the ability to receive mail via IPv6.

  • Pingback: links for 2011-03-15