It's easy to work this out for yourself. Take any list of the most popular zones --- the Moz 500 is the simplest to download --- and then write a simple shell loop to "host -t ds" each of them. You'll see in a minute or so that it is as I say it is. With the exceptions of Cloud Flare, which sells DNSSEC services, and Paypal (but none of Paypal's subsidiaries like Venmo), nobody in the technology industry uses DNSSEC. For that matter, none of the major banks do, either. Look to any industry vertical where companies tend to have significant security teams: none of them use DNSSEC. DNSSEC is virtually absent among major domains on the Internet.
This despite the fact that DNSSEC has been under development for twenty five years, with repeated aggressive pushes for deployment.
Indeed, browsers have experimented with DNSSEC support... and then removed DNSSEC support from their builds when they discovered it was unworkable.
This shows the top 25 websites and that none of them have DNSSEC.
As for whether people will in the future, it’s impossible to say for sure. But chrome doesn’t support dnssec, which shows how seriously google takes it.
Thanks for the link, that's quite interesting. While web browsers can implement their own DNS resolver, that's completely irrelevant when we're talking about an MTA. The server(s) the MTA(s) are running on have their own underlying resolvers which can be DNSSEC-compatible, or better yet, if you're using a public resolver like quad9, they validate the DNSSEC for you.
Edit: Not that I'm saying you should trust quad9 full-stop, but it is a nice feature. Anyone could run their own private resolver but most choose not to because of the very same privacy concerns we're talking about in these headers, namely - making your traffic easier to profile.
It doesn't matter that your MTA could, in theory, do fully recursive signature-validating resolutions, because none of the domains you'll be looking at are signed.
Yes, I'm satisfied with the evidence presented that the "major" vendors aren't signing their zones, but I do think we're far off-topic at this point as to whether or not the client IP address has value in the message headers.
This despite the fact that DNSSEC has been under development for twenty five years, with repeated aggressive pushes for deployment.
Indeed, browsers have experimented with DNSSEC support... and then removed DNSSEC support from their builds when they discovered it was unworkable.