[elric]

Colouring an area red because they don't have DNSSEC enabled on a domain seems excessive.

A nice addition would be to add who is hosting their email. First handful I've looked at are all outlook.com, which seems a much bigger privacy & security risk than not using DNSSEC.

[duckmysick]

> A nice addition would be to add who is hosting their email.

Something like this? https://livenson.github.io/mxmap/

A few countries have those, here's a Github repo of the Swiss one (has a list of forks in there too): https://github.com/davidhuser/mxmap

[elric]

Thanks for that link! The results are predictably depressing.

[Stitch4223]

Not making it red would downplay the "SEC" part in DNSSEC.

We already have some privacy metrics in addition to tracking cookies, and there will be more. All are important at the same time.

[elric]

"Important" according to whom? A tracking cookie is trivial to fix (or to automagically disable for the more tech savvy citizens). Email being hosted by an untrusted foreign corporation is way harder to fix and impossible to bypass as a citizen trying to contact their government.

[Stitch4223]

The effort required to fix tracking cookies is sometimes astounding, while migrating to another email provider is trivial.

This depends on how well the organization handles change and various complexities. Having great technical staff makes things easier, and throwing money at the problem can also help.

Just to give an anecdote: I've had people crying on the phone because their "solutions provider" could not get TLS to work on their www domain despite spending 5.000 euros or so.

[mirashii]

I'd have hoped in 2026 that anyone publishing this type of report would understand that DNSSEC isn't helping anything, and is generally considered to be actively harmful to enable. I'd suggest doing a bit more research and dropping the DNSSEC stuff, or reversing it entirely.

[bombcar]

DNSSEC is more likely to self-DoS yourself than protect against an attack, unfortunately.

[gnyman]

as exemplified by the recent .de outage https://www.theregister.com/networks/2026/05/06/denic-sorry-...

[concinds]

It is not desirable to have mass adoption of DNSSEC, or to try to incentivize that.