DANE — DNS-Based Authentication of Named Entities

Standard: RFC 6698 (DANE base) + RFC 7671 (operational guidance) + RFC 7672 (DANE for SMTP) + RFC 7218 (acronyms) Layer: Transport security via DNS DNS record: TLSA at _25._tcp.[mx-host] Adoption (Feb 2026): 30 / 5.5M domains (DMARCguard scan) Reading time: 16 minutes
Definition

DANE (DNS-Based Authentication of Named Entities) binds a TLS certificate to a domain name through a DNSSEC-signed TLSA record published in DNS. For SMTP (RFC 7672), the record at _25._tcp.[mx-host] simultaneously signals "this server requires STARTTLS" and provides the exact certificate fingerprint the connection must match — eliminating reliance on the public Certificate Authority system and making downgrade attacks detectable.

Every other email transport protocol — STARTTLS, MTA-STS — has a foundational weakness: trust in the network at the moment of first contact. STARTTLS announces TLS support in cleartext (a downgrade attacker can strip the announcement). MTA-STS fetches its policy over HTTPS the first time it sees a domain (trust-on-first-use, acknowledged in RFC 8461). DANE breaks that pattern by anchoring trust in the DNSSEC root keys, propagated through the DNS delegation chain — there is no first contact to attack, because the cryptographic chain extends to the global root.

The cost of that stronger guarantee is operational. DANE requires DNSSEC on every link in the chain (your domain, the MX hostname's zone, the registrar). It requires careful certificate-rotation timing or inbound mail bounces. And until October 2024, the only major commercial receiver that consumed TLSA records for SMTP was Postfix-based open-source mail — meaning the deployment effort produced limited real-world coverage. Microsoft's October 2024 GA of Inbound SMTP DANE changed that calculus, and the planned July 2026 migration of all newly-created Accepted Domains to DNSSEC-enabled *.mx.microsoft infrastructure represents the largest single forcing function for DANE deployment to date.

The problem DANE solves

SMTP's encryption story has three layers, each fixing the previous layer's weakness while introducing a new one:

Layer 1 — Plaintext (1982-2002). SMTP as defined in RFC 821 had no encryption. Mail transited in cleartext between every server hop. Anyone with access to the network path could read or modify messages.

Layer 2 — STARTTLS (RFC 3207, 2002). Added an opportunistic TLS upgrade: the receiving server announces 250-STARTTLS in its EHLO response, the sender issues STARTTLS, both negotiate TLS, and the rest of the conversation is encrypted. This solved passive eavesdropping but introduced two new problems. First, an active attacker on the path can strip the STARTTLS announcement from the EHLO response, causing the sender to fall back to cleartext — the sender doesn't know it should have been encrypted. Second, even when TLS is negotiated, sending MTAs historically did not validate the certificate, accepting any cert (self-signed, expired, attacker-presented) because requiring CA validation would block delivery to the long tail of self-hosted mail servers.

Layer 3 — DANE (RFC 7672, 2015) and MTA-STS (RFC 8461, 2018). Both close the downgrade-attack hole, but with different trust models. DANE publishes the certificate fingerprint in DNSSEC-signed DNS, making both "TLS required" and "specific cert required" cryptographically enforceable. MTA-STS publishes a policy over HTTPS that says "use TLS, validate against CAs, here are valid MX hostnames" — easier to deploy but with TOFU vulnerability. The two were designed to coexist; RFC 7672 §1.5 explicitly confirms they do not interfere.

The fundamental DANE insight: if your DNS is cryptographically signed (DNSSEC), you can use DNS itself as a certificate distribution mechanism — eliminating the public CA system as an attack vector. A DNSSEC-signed TLSA record cannot be forged by a network-level attacker because the attacker would need to compromise the DNS root keys, not just intercept a connection. This is why DANE is sometimes called "letting DNS replace the CA system" — for protocols where you control both endpoints, it works.

How DANE works for SMTP

The DANE handshake adds three steps to the standard SMTP delivery chain. Here's what happens when a DANE-aware sender (Postfix with smtp_tls_security_level=dane, or Microsoft Exchange Online outbound) attempts to deliver mail to a DANE-enabled receiver:

SMTP delivery with DANE validation

1
Sender resolves MX recordsFor recipient@example.com, sender queries example.com IN MX. Response: 10 mx1.example.com. Critical: the MX response must be DNSSEC-validated. If the example.com zone is not signed, the sender either falls back to opportunistic TLS (Microsoft) or refuses delivery (Postfix dane-only mode).
2
Sender resolves the MX hostnameQuery mx1.example.com IN A/AAAA. The mx1.example.com zone must also be DNSSEC-signed — this is often forgotten when MX points to a third-party provider's hostname (the provider must publish DNSSEC + TLSA, not just the email domain owner).
3
Sender queries TLSAQuery _25._tcp.mx1.example.com IN TLSA. If the response is DNSSEC-validated and contains one or more TLSA records, DANE is in play. If no TLSA records exist (and the zone is signed denying their existence via NSEC/NSEC3), DANE is "not in scope" for this recipient and sender falls back to opportunistic TLS without further DANE checks.
4
TCP + SMTP greeting + STARTTLSSender opens TCP connection to mx1.example.com:25, exchanges EHLO, sees 250-STARTTLS, issues STARTTLS. If the receiver doesn't advertise STARTTLS, DANE-aware senders abort — TLS was required by the TLSA record's existence, and downgrade is not allowed.
5
TLS handshake — certificate validationReceiver presents its X.509 certificate. Sender computes the fingerprint per the TLSA Selector and Matching Type fields (typically: extract SubjectPublicKeyInfo, hash with SHA-256). If the computed fingerprint matches any of the TLSA records published, validation passes. Crucially with DANE-EE (usage 3): no CA path validation, no expiry check, no hostname check — the TLSA pin replaces all of these.
6
Mail delivery proceedsOnce TLS is established and the cert is DANE-validated, the SMTP transaction continues normally — MAIL FROM, RCPT TO, DATA, message body. The only difference from non-DANE SMTP is the validation step in #5.

If validation fails at any step, the sending MTA aborts the connection. There is no fallback to plaintext or to a less-secure validation mode — that would defeat DANE's entire purpose, since a downgrade attacker could simulate failure. The message is either tried at the next MX (if the destination has multiple MX records) or deferred for retry. After enough failed retries, the sender bounces the message back to the original sender with a TLS-related delivery failure notice.

TLSA record anatomy: 4 fields decoded

A TLSA record has exactly 4 fields, encoded as 1 byte + 1 byte + 1 byte + variable-length data. Each field has multiple valid values, and the choice of values determines what the receiver pins, how strictly, and whether the record is even useful for SMTP.

Field 1: Certificate Usage (1 byte)

Specifies what type of certificate the TLSA record represents and whether PKIX (CA-based) validation is also required. Of the 4 defined values, only 2 are recommended for SMTP per RFC 7672 §3.1.3:

0PKIX-TA

CA certificate + PKIX path validation required. The TLSA hash represents a trust anchor (root or intermediate CA) that must be in the standard CA store.

Banned for SMTP
1PKIX-EE

End-entity (server) certificate + PKIX path validation required. The TLSA hash represents the server cert itself, which must also chain to a public CA.

Banned for SMTP
2DANE-TA

Trust anchor without PKIX. The TLSA hash represents an intermediate or root cert; any cert chained to that anchor is valid. No public CA store needed.

OK for SMTP
3DANE-EE

End-entity cert without PKIX, no domain-name validation, no expiry validation. Pure cryptographic pin to this exact cert/key. Most flexible operationally.

Recommended for SMTP

Microsoft Exchange Online treats Usage values 0 and 1 as "not usable" per their documentation — when a TLSA record with Usage 0 or 1 is returned, Exchange Online doesn't perform DANE validation steps for that record. This aligns with RFC 7672 guidance that PKIX-anchored variants add complexity without security benefit for SMTP, where the use case is server-to-server (not browser-to-server) trust.

Why DANE-EE (3) is preferred: RFC 7671 §5.1 updated DANE-EE to skip three checks normally required in TLS: domain-name validation, certificate expiry validation, and CA path validation. This is intentional and important. SMTP servers commonly accept email for many domains (a single server might handle mx.provider.com but receive mail addressed to thousands of customer domains), making domain-name matching impractical. Expiry validation conflicts with the operational reality of cert renewal — a cert that expired 2 hours ago but whose new TLSA hasn't propagated yet would block all mail. DANE-EE 3 sidesteps both: if the cryptographic pin matches, the cert is trusted, period. The TLSA record itself becomes the source of truth for cert validity.

Field 2: Selector (1 byte)

Specifies what part of the certificate the TLSA hash represents:

ValueNameWhat it hashesOperational impactVerdict
0CertThe full DER-encoded certificateHash changes on every cert renewal even if the underlying key is identical. Forces TLSA rotation on every renewal cycle.Avoid
1SPKISubjectPublicKeyInfo (the public key + algorithm metadata)Hash stays constant if you reuse the same private key across renewals. Let's Encrypt's --reuse-key flag enables this. TLSA can outlive many cert renewals.Recommended

Selector 1 (SPKI) is the operational sweet spot. The trade-off is that you're committing to long-term key reuse — if your private key is ever compromised, you must rotate the key (which means rotating the TLSA hash, which means the rotation timing problem detailed below). For most production SMTP infrastructure, key reuse for 1-2 years is acceptable; the ease of cert renewal under SPKI more than compensates.

Field 3: Matching Type (1 byte)

ValueNameDescriptionVerdict
0FullRaw cert/key data, no hash. Record sizes balloon to several KB. DNS amplification risk.Avoid
1SHA-256SHA-256 hash of the cert or SPKI. 64 hex chars. Compact.Recommended
2SHA-512SHA-512 hash. 128 hex chars. Larger DNS records, marginal security improvement over SHA-256.Acceptable

Field 4: Certificate Association Data

The actual fingerprint — a hex string whose length depends on the Matching Type. For the canonical SMTP combination (Selector 1, Matching Type 1), this is the SHA-256 of the SPKI, exactly 64 hex characters (32 bytes). Generation example:

# Extract SPKI hash from a PEM certificate (the canonical 3 1 1 value)
openssl x509 -in mx1.example.com.crt -pubkey -noout \
  | openssl pkey -pubin -outform DER \
  | openssl dgst -sha256 -binary \
  | xxd -p -u -c 64

The canonical SMTP TLSA record: 3 1 1

For SMTP, the recommended TLSA configuration is DANE-EE + SPKI + SHA-256, written as 3 1 1:

; In mx1.example.com's zone file:
_25._tcp.mx1.example.com. IN TLSA 3 1 1 5b8ee71c01e0c97...
;                              │ │ │
;                              │ │ └─ Matching Type: SHA-256
;                              │ └─── Selector: SPKI (public key)
;                              └───── Usage: DANE-EE (end-entity, no PKIX)

This combination produces three properties that align well with SMTP's operational realities:

  1. No domain-name validation. The receiving SMTP server can accept mail for thousands of domains without needing a cert with all of them in SAN. Critical for shared MX infrastructure.
  2. No expiry validation. If a cert expires by mistake or renewal is delayed, mail keeps flowing as long as the TLSA fingerprint still matches. The TLSA record itself becomes the validity oracle.
  3. Stable across renewals (when key is reused). SPKI selector means renewing the cert with the same private key produces an identical TLSA hash — no DNS changes needed at renewal time.
Wildcard certs across MX hosts: anti-pattern. RFC 7672 explicitly warns against using the same cert (and the same TLSA record) across multiple MX hosts. The reasoning is operational: when you rotate the wildcard cert, you must update it on all MX hosts simultaneously and rotate the shared TLSA. Any deployment mistake at any host (delayed deployment, network split, configuration drift) creates a TLSA mismatch on that host — and inbound mail to your domain through that MX bounces. With per-host certs and per-host TLSA records, a rotation failure on one MX leaves the other MX hosts unaffected.

Microsoft Exchange Online DANE: GA October 2024 + 2026 roadmap

Microsoft is the single most consequential commercial receiver for DANE deployment. Their published roadmap from Microsoft Learn — How SMTP DANE works and Microsoft Tech Community announcements:

DateMilestoneImpact
Q1 2022Outbound SMTP DANE GAMicrosoft 365 sending tenants began validating TLSA records when delivering mail to external receivers. Microsoft → external is DANE-aware.
Oct 2024Inbound SMTP DANE GAMicrosoft 365 tenants can publish TLSA records for their Accepted Domains. External senders → Microsoft is DANE-protectable.
July 2025Inbound DANE for consumer Outlook/HotmailOutlook.com, Hotmail.com, Live.com domains brought into the DANE-eligible infrastructure. Consumer email gains DANE protection.
Q4 CY25Mandatory outbound DANE per-tenant/per-remote-domainTenants can configure outbound DANE as required for specific destination domains — failed validation hard-rejects rather than falling back.
July 2026All newly-created Accepted Domains migrate to *.mx.microsoft DNSSEC infrastructureThe biggest forcing function. Every new Microsoft 365 customer's MX defaults to DNSSEC-signed infrastructure with DANE pre-configured. DANE adoption no longer requires customer action.
Microsoft Exchange Online specifics for DANE deployment: Microsoft hosts multiple TLSA records per MX intentionally — it's expected that some will fail validation during cert rotation; as long as one record passes, the connection succeeds. Microsoft blocks email in only two scenarios: (1) the destination signals DNSSEC support but DNS records return as inauthentic, or (2) all MX records have TLSA records but no destination cert matches AND STARTTLS is unsupported. Domains NOT yet supported for Inbound DANE as of 2026: onmicrosoft.com tenant domains, and self-service sign-up domains. Microsoft is "investigating" support but no ETA published.

Adoption reality 2026: the numbers

DANE adoption remains negligible globally despite a decade of standardization. DMARCguard's February 2026 scan of 5.5 million domains from the Tranco Top Sites List found exactly 30 domains publishing TLSA records for SMTP — under 0.001% adoption. The headline numbers:

30
Domains publishing TLSA records (out of 5.5M)
DMARCguard, Feb 2026
~7%
Authoritative-side DNSSEC zone signing globally
APNIC Labs, 2026
35%
Resolver-side DNSSEC validation
APNIC Labs, 2026
Oct 2024
Microsoft 365 Inbound DANE GA
Microsoft Tech Community
Q1 2022
Microsoft 365 Outbound DANE
Microsoft Tech Community
2018
Postfix native DANE support stable
Postfix release notes

The geographic distribution of DANE deployment correlates almost perfectly with national DNSSEC adoption. The Netherlands (where DANE is on the government's "comply or explain" list and the .NL TLD has aggressive DNSSEC promotion), Sweden, Norway, and the Czech Republic account for a disproportionate share of TLSA-publishing domains. Government, research, and CSIRT-affiliated networks are dramatically over-represented compared to commercial deployment.

🇳🇱 Netherlands (high) 🇸🇪 Sweden (high) 🇳🇴 Norway (high) 🇨🇿 Czech Republic (high) 🇩🇪 Germany (medium) 🇺🇸 USA (low, .gov mandated) 🇬🇧 UK (low) 🌏 APAC (negligible)

DANE vs MTA-STS: dimensional comparison

Both protect against TLS downgrade attacks on SMTP, but with different trade-offs along every dimension. The choice isn't "which one" — for organizations that can deploy both, deploying both maximizes coverage. The decision matrix:

Dimension
DANE (RFC 7672)
MTA-STS (RFC 8461)
Trust anchor
DNSSEC root keys
Public CA system + HTTPS
First-contact security
Cryptographically secure (DNSSEC chain)
Trust-on-first-use (RFC 8461 §10.2)
Prerequisite
DNSSEC on email domain AND MX hostname zones
HTTPS endpoint at mta-sts.domain.com + 2 DNS records
Downgrade resistance
Strong (DNS forgery requires DNSSEC root compromise)
Strong after first contact; weak before (TOFU window)
Cert revocation
Effective (publish new TLSA, old cert fails immediately when cache expires)
Indirect (relies on CA-issued CRL/OCSP, often slow)
Operational complexity
High (DNSSEC + cert rotation timing)
Moderate (HTTPS site + 2 DNS records + max_age policy)
Major receiver support (2026)
Postfix, Exim, Microsoft 365 (Oct 2024 GA)
Google (April 2019), Microsoft 365 outbound, Yahoo, most cloud MTAs
Deployment regions
High in NL/SE/NO/CZ; near-zero global
Cloud providers globally; ~1% Top 1M (URIports)
Failure mode
Hard reject — message defers/bounces
Configurable: testing/enforce/none modes
Coexistence
RFC 7672 §1.5: intentionally compatible. Senders use whichever they support; both work simultaneously.

Certificate rotation without breaking inbound mail

The single highest-risk DANE operation is certificate rotation. Get the timing wrong and inbound mail bounces with TLS validation failures until sending MTAs' DNS caches expire. The required pattern is publish before deploy, deploy before retire:

DANE-safe certificate rotation timeline

T0
Publish new TLSA record alongside the existing oneBoth records live in DNS. Sending MTAs that resolve TLSA see two valid hashes; the cert presented during TLS handshake matches one of them. Critical: do NOT remove the old TLSA yet. Generate the new TLSA from the new cert/key pair before deployment.
T0+2×TTL
Deploy the new certificate on the MXBy now, DNS caches at sending MTAs have expired and re-fetched, returning both TLSA records. The new cert's hash matches one of them, so validation passes for everyone. 2× TTL is a safety buffer: 1× TTL guarantees expiry, 2× TTL absorbs any clock drift or stale cache edge cases.
T0+4×TTL
Remove the old TLSA recordSending MTAs that still cache the old TLSA hash see the new cert match the still-published new TLSA. Once their cache expires (within 1× TTL), they re-fetch and only see the new TLSA. After 2× TTL from removal, no MTA has the old TLSA cached.

If you skip the staging phase and atomically swap cert and TLSA, the failure mode is: sending MTAs with a cached old TLSA see the new cert, compute its hash, find no match, and abort the connection. Inbound mail bounces from those senders for as long as their DNS caches retain the old TLSA — typically 1-24 hours depending on the TLSA TTL you set. Selector 1 (SPKI) materially reduces this risk: if your cert renewal reuses the same private key (Let's Encrypt's --reuse-key flag enables this), the SPKI hash is unchanged across renewals, and the TLSA record stays valid through the cert change with zero DNS modification.

The most common DANE production failure we observe in customer TLS-RPT data is automated cert renewal scripts that don't account for DANE. ACME clients (Certbot, acme.sh, lego, win-acme) renew certs without touching DNS by default — fine for HTTPS, catastrophic for SMTP DANE. Either configure --reuse-key + Selector 1 (so TLSA stays valid), or use DANE-aware renewal hooks that publish the new TLSA before deploying the new cert. Postfix's documentation includes example hook scripts for this.

Common DANE failure modes (from TLS-RPT data)

Production DANE failures fall into a small number of recurring patterns, each with a specific diagnosis. The TLS-RPT result-types that signal DANE issues are tlsa-invalid, dnssec-invalid, dane-required, certificate-host-mismatch, and certificate-expired:

tlsa-invalid (cert/TLSA mismatch)

TLS-RPT: tlsa-invalid, count > 0

The cert presented by your MX doesn't match any published TLSA record. Almost always caused by cert renewal that didn't update TLSA. Verify with: openssl s_client -starttls smtp -connect mx1:25 + recompute TLSA hash. Fix: publish correct TLSA, wait for cache expiry.

dnssec-invalid (DNSSEC chain broken)

TLS-RPT: dnssec-invalid, count > 0

DNSSEC validation failed somewhere in the chain. Common causes: DS record mismatch at registrar, expired DNSSEC signatures (NSEC3 RRSIG), broken delegation. Verify with: delv +rtrace mx1.example.com TLSA. Fix: re-sign zone, update DS record at registrar.

dane-required (TLSA missing where expected)

TLS-RPT: dane-required, count > 0

Sender expected DANE but no TLSA record was found. Usually means TLSA record was deleted accidentally, or DNS provider stripped it during a migration. Verify with: dig +dnssec TXT _25._tcp.mx1.example.com. Fix: republish TLSA records.

certificate-host-mismatch (Usage 0/1 only)

TLS-RPT: certificate-host-mismatch

Cert hostname doesn't match expected. Only relevant for Usage 0/1 TLSA records — DANE-EE (3) skips hostname validation. Fix: switch to Usage 3 DANE-EE if appropriate, or update cert SANs.

starttls-not-supported (TLS not advertised)

TLS-RPT: starttls-not-supported

TLSA record exists but receiving MX doesn't advertise STARTTLS. Misconfiguration on your side — check Postfix smtpd_tls_security_level or equivalent. Should be may or encrypt, never none for DANE-published hosts.

Wildcard cert deployment drift

Mail from some senders fails, others succeed

Multiple MX hosts share a wildcard cert and a shared TLSA, but cert deployment timing varies per host. Some hosts have new cert, some old. Verify by testing each MX IP individually with openssl. Fix: either deploy atomically across all hosts, or move to per-host certs and per-host TLSA records.

DANE's bootstrap problem (and DNSSEC NSEC3 mitigation)

A subtle attack vector against DANE: if an attacker can block the DNS query for the TLSA record (rather than forge a response), the sender doesn't learn that DANE is in scope and falls back to opportunistic TLS — which the attacker can downgrade. This is called the "bootstrap problem" and applies to MTA-STS too (block the policy fetch and the sender doesn't know to enforce STARTTLS).

The mitigation for DANE is DNSSEC's NSEC/NSEC3 mechanism for authenticated denial of existence. When a DNSSEC-signed zone is queried for a non-existent record, the response includes cryptographic proof that the record genuinely doesn't exist (NSEC3 record). The sender can distinguish "TLSA record doesn't exist (so DANE not required)" from "TLSA query was blocked (so I can't tell whether DANE was required)" — in the latter case, a DANE-aware sender treats this as suspicious and may refuse delivery rather than falling back. In practice, blocking-attacks are far harder to execute than spoofing attacks, since the attacker must maintain persistent network presence rather than briefly inject a forged response.

Operational implication: ensure NSEC3 (not NSEC) is configured on your DNS zones. NSEC3 prevents zone enumeration that NSEC enables (NSEC walks let attackers enumerate every name in a zone). All major DNSSEC tooling supports NSEC3 by default since 2010.

DANE in Cloud Server for Email infrastructure

Customer-specific implementation details matter for DANE deployment on managed infrastructure. Cloud Server for Email's standard managed deployment includes:

  • DNSSEC-signed delegation on customer-controlled domains where supported by the registrar. We handle DS record submission and rotation. Customers using Route 53, Cloudflare, or DigitalOcean DNS get DNSSEC essentially for free; customers on legacy registrars may require DNS migration.
  • TLSA records published with the canonical 3 1 1 combination (DANE-EE + SPKI + SHA-256) at _25._tcp.[mx-host] for every MX hostname.
  • Dual-TLSA staging during cert rotation. Our deployment automation publishes the new TLSA at T0, deploys the new cert at T0+2×TTL, and removes the old TLSA at T0+4×TTL. TTL set to 3600s (1 hour) keeps the staging window manageable.
  • SPKI selector + Let's Encrypt --reuse-key as the default. Cert renewal happens silently every 60 days without touching DNS. Key rotation (when needed) follows the staged TLSA pattern.
  • TLS-RPT integration. Every customer DANE deployment gets a parallel TLS-RPT record so we can monitor real-world validation results from sending MTAs. The combination of DANE + TLS-RPT gives operators the visibility they need to deploy with confidence.

For customers running their own MTAs (PowerMTA, Postfix, MailWizz with custom outbound), we provide DANE consultation but do not manage the DNS layer directly — DANE deployment requires DNSSEC ownership of both the email domain and the MX hostname zone, which often spans the customer's registrar, DNS provider, and infrastructure providers.

Auditing your DANE configuration

Standard verification commands for an existing DANE deployment:

# 1. Verify DNSSEC chain on your email domain and MX
delv +rtrace example.com SOA
delv +rtrace mx1.example.com A

# 2. Verify TLSA record exists and is DNSSEC-validated
delv +rtrace _25._tcp.mx1.example.com TLSA

# 3. Verify the cert presented by your MX matches the TLSA hash
echo | openssl s_client -starttls smtp -connect mx1.example.com:25 \
  -showcerts 2>/dev/null \
  | openssl x509 -pubkey -noout \
  | openssl pkey -pubin -outform DER \
  | openssl dgst -sha256 -hex \
  | awk '{print $2}'
# Compare output hash with the value in the TLSA record

# 4. Online validators
#    - https://www.mailhardener.com/tools/dane-validator
#    - https://internet.nl (full email security audit including DANE)
#    - https://dane.sys4.de

Microsoft's Remote Connectivity Analyzer performs the same DNSSEC and DANE checks against your DNS configuration that Exchange Online does when sending email outside the service — useful for diagnosing why Microsoft 365 might be failing to deliver to your domain.

  • MTA-STS — the CA-trusted alternative to DANE; complements DANE rather than replaces it.
  • TLS-RPT — the daily reporting mechanism that surfaces DANE failures from sending MTAs. Essential companion to DANE.
  • SPF — sender authentication via authorized IP list. Different layer (sender identity, not transport security).
  • DKIM — message-level cryptographic signature. Different layer (message integrity, not transport).
  • DMARC — alignment policy across SPF/DKIM. Different layer (sender reputation policy).

Frequently asked questions

Do I need DNSSEC on both the sending and receiving sides?

DNSSEC validation happens at the sender's resolver. The sender's outbound MTA must use a DNSSEC-validating resolver (Postfix's smtp_dns_support_level=dnssec requires this). The receiving side must publish DNSSEC-signed zones for the email domain AND the MX hostname's zone. If either side is missing DNSSEC, DANE doesn't apply for that connection and senders fall back to opportunistic TLS.

Can I use DANE with a third-party email provider's MX?

Only if that provider's MX hostname zone is DNSSEC-signed and they publish TLSA records. The TLSA record must live at the MX hostname (e.g., _25._tcp.mx.provider.com), not at your email domain. If your MX points to mx.provider.com, you cannot publish the TLSA record yourself — the provider must do it. Ask your provider whether they support DANE for SMTP before assuming it works.

What TTL should I set on TLSA records?

Common production default is 3600 seconds (1 hour). Shorter TTLs (300s) make rotation faster but increase DNS query load. Longer TTLs (86400s = 1 day) reduce DNS load but extend rotation windows to 4-day operations. The 1-hour default balances these well. Note that the rotation window scales linearly with TTL: at 1h TTL, plan a 4h rotation; at 1d TTL, plan a 4-day rotation. Don't reduce TTL below 300s — many resolvers cap minimum TTL there regardless of what you publish.

If I have multiple MX records, do I need TLSA on all of them?

Yes. RFC 7672 §2 says: if any MX has a TLSA record, all MX hosts must have valid TLSA records. The reasoning: a sender can't cherry-pick which MX to use based on TLSA presence — they iterate through MX records by priority and would fall back to a non-DANE MX otherwise, defeating the protection. If you can't deploy TLSA on every MX (e.g., one is a third-party fallback without DANE support), don't deploy on any until you can — or accept that DANE-aware senders may behave inconsistently across your MX set.

Does DANE work with port 465 (implicit TLS)?

DANE for SMTP is defined for port 25 with STARTTLS, not port 465 with implicit TLS. The TLSA record location _25._tcp.[mx-host] encodes port 25 in the name. Port 465 is for client-to-server submission (MUA → SMTP server), not server-to-server delivery, and isn't part of the SMTP DANE specification. RFC 7672 explicitly scopes DANE to port 25 STARTTLS.

Can DANE be used to revoke a compromised certificate?

Yes — and effectively. If your cert is compromised, publish a TLSA record for the new (replacement) cert, wait for cache expiry, then remove the old TLSA. The compromised cert immediately fails validation for any DANE-aware sender — much faster than CRL/OCSP-based revocation, which can take days to propagate. This is one of DANE's underappreciated operational benefits over CA-based PKI: the publisher controls revocation directly via DNS, without dependency on CA infrastructure.

Should I deploy DANE if my receivers are mostly Gmail and Yahoo?

Probably not as a priority. Gmail and Yahoo do not support DANE for SMTP — Google's official position is MTA-STS, deployed since April 2019. If your inbound mail volume is dominated by Gmail and Yahoo senders, DANE protects almost none of that traffic. Deploy MTA-STS first for those receivers; then add DANE if you also receive significant volume from Microsoft 365 (which DOES support DANE since October 2024) or European receivers. The two protocols coexist by design — RFC 7672 §1.5 — so deploying both is the maximum-coverage strategy when DNSSEC infrastructure is feasible.

What's the security difference if I'm only deploying DANE for "compliance"?

Even partial DANE deployment provides real security improvements: it protects mail flow between you and any DANE-aware sender from cert mis-issuance attacks (rogue CA), MITM downgrade attacks, and cert hijacking via CA compromise. The "compliance value" is real but secondary — DANE is on the Dutch NCSC's "comply or explain" list, internet.nl scoring includes it, and EU NIS2-affected entities are increasingly being asked about transport security posture. If compliance is the primary driver, deploy DANE alongside MTA-STS for a complete transport security story.

Last updated: May 2026 · Sources: RFC 7672, RFC 6698, RFC 7671, Microsoft Learn — How SMTP DANE works, DMARCguard 2026 scan, Mailhardener DANE knowledge base.