SupportDANE for Email

DNS Security

DANE for Email

DANE lets sending mail servers verify recipient TLS certificates with DNSSEC-protected TLSA records. It strengthens transport authenticity between MTAs.

CategoryEmail transport security
Length7 minute read
UpdatedApril 26, 2026

How DANE works

For SMTP, TLSA records are published at names like _25._tcp.mx1.example.com. Sending MTAs can validate that the destination certificate or key matches that TLSA policy.

DANE visual flow from DNSSEC validation to certificate match decision

Prerequisites and records

DANE depends on valid DNSSEC. If DNSSEC is broken or absent, TLSA trust is incomplete.

_25._tcp.mx1.example.com. 3600 IN TLSA 3 1 1 9A1B...F0C2
  • Sign the zone and verify the DNSSEC chain end-to-end.
  • Publish TLSA for each MX host serving inbound SMTP.
  • Rotate certificates and TLSA records carefully to avoid mismatch windows.

FAQ

Can DANE replace PKI completely?

Not in every deployment model. It complements PKI by pinning trust through DNSSEC-backed policy for supported SMTP flows.

Is DANE the same as MTA-STS?

No. Both aim to improve SMTP TLS security, but use different trust and policy mechanisms.