DANE (DNS-based Authentication of Named Entities)
DANE uses DNSSEC to provide certificate authentication for email transport security, enabling encrypted and authenticated connections between mail servers.
How DANE Works
The Problem
Traditional TLS for email (STARTTLS) has vulnerabilities:
- Opportunistic encryption: Falls back to unencrypted if TLS fails
- No certificate verification: Accepts any certificate by default
- Vulnerable to MITM: Attackers can downgrade or intercept connections
The Solution
DANE addresses these issues by:
- Publishing certificates in DNS: TLSA records specify expected certificates
- Using DNSSEC: Cryptographically signs DNS records
- Enabling verification: Receiving servers can verify sender certificates
Sender MTA Receiver MTA
│ │
│ 1. Query MX record │
├──────────────────────────────────────────►│
│ │
│ 2. Query TLSA record (with DNSSEC) │
├──────────────────────────────────────────►│
│ │
│ 3. Connect with TLS │
├──────────────────────────────────────────►│
│ │
│ 4. Verify certificate matches TLSA │
│ │TLSA Record Format
TLSA records are published at:
_port._protocol.hostnameFor SMTP (port 25):
_25._tcp.mail.example.comRecord Structure
_25._tcp.mail.example.com. IN TLSA 3 1 1 <certificate-hash>| Field | Position | Description |
|---|---|---|
| Usage | 1st | How to use the certificate data |
| Selector | 2nd | Which part of certificate to match |
| Matching Type | 3rd | How to match (exact or hash) |
| Certificate Data | 4th | The actual certificate data or hash |
Usage Values
| Value | Name | Description |
|---|---|---|
| 0 | PKIX-TA | CA constraint (must chain to this CA) |
| 1 | PKIX-EE | Certificate constraint (must be this cert) |
| 2 | DANE-TA | Trust anchor (domain-issued CA) |
| 3 | DANE-EE | Domain-issued end entity (recommended) |
TIP
For email, 3 (DANE-EE) is recommended. It pins the exact certificate without requiring traditional CA validation.
Selector Values
| Value | Name | Description |
|---|---|---|
| 0 | Full | Match entire certificate |
| 1 | SPKI | Match public key only (recommended) |
TIP
1 (SPKI) is recommended because it survives certificate renewal if the same key is reused.
Matching Type Values
| Value | Name | Description |
|---|---|---|
| 0 | Full | Exact match (no hashing) |
| 1 | SHA-256 | SHA-256 hash (recommended) |
| 2 | SHA-512 | SHA-512 hash |
Example TLSA Records
Recommended configuration (3 1 1):
_25._tcp.mail.example.com. IN TLSA 3 1 1 a]b2c3d4e5f6...Full certificate pin (3 0 1):
_25._tcp.mail.example.com. IN TLSA 3 0 1 1a2b3c4d5e6f...When DANE Adds Value
Good Use Cases
✅ Use DANE when:
- You control your mail server infrastructure
- DNSSEC is already deployed for your domain
- You need cryptographic assurance of TLS connection authenticity
- Your receiving partners support DANE verification
- High-security environments requiring defense in depth
Limited Value
⚠️ DANE has limited value when:
- Using hosted email (Google Workspace, Microsoft 365)
- DNSSEC is not deployed
- Most email partners don't verify DANE
- MTA-STS already covers your requirements
DANE vs. MTA-STS
| Feature | DANE | MTA-STS |
|---|---|---|
| Requires DNSSEC | Yes | No |
| Certificate pinning | Yes | No (uses CA trust) |
| Adoption by senders | Lower | Higher |
| Setup complexity | Higher | Lower |
| Hosted email support | Limited | Good |
Recommendation: Most organizations should implement MTA-STS first. Add DANE if you have DNSSEC and need additional assurance.
DANE and MTA-STS Interaction
DANE and MTA-STS can work together:
- Both present: Sender should prefer DANE if it validates
- Only MTA-STS: Use MTA-STS policy
- Only DANE: Use DANE verification
- Neither: Opportunistic TLS only
Most major email providers check both when available.
Implementation Steps
Prerequisites
Before implementing DANE:
- [ ] DNSSEC must be deployed and validated for your domain
- [ ] You control your mail server's TLS certificates
- [ ] You have a process for updating TLSA records during certificate rotation
Step 1: Verify DNSSEC
Check if DNSSEC is active:
dig +dnssec example.comLook for the ad (authenticated data) flag in the response.
Step 2: Generate TLSA Record
Extract the certificate hash:
# For the public key (selector 1) with SHA-256 (matching type 1)
openssl x509 -in cert.pem -noout -pubkey | \
openssl pkey -pubin -outform DER | \
openssl dgst -sha256 -binary | \
xxd -p -c 256Or use an online TLSA generator with your certificate.
Step 3: Publish TLSA Record
Add the record to your DNS:
_25._tcp.mail.example.com. 3600 IN TLSA 3 1 1 <hash-from-step-2>Step 4: Test Configuration
Using dig:
dig TLSA _25._tcp.mail.example.com +dnssecUsing online validators:
- DANE SMTP Validator tools
- Hardenize (https://hardenize.com)
Step 5: Monitor
- Monitor for DNSSEC validation issues
- Set reminders for certificate renewal
- Update TLSA records before certificates expire
Certificate Rotation
WARNING
DANE requires careful certificate rotation planning. Publishing new TLSA records before certificate rollover is critical.
Rotation Process
- Generate new certificate (with same or new key)
- Calculate new TLSA hash
- Publish both old and new TLSA records:
_25._tcp.mail.example.com. IN TLSA 3 1 1 <old-hash>
_25._tcp.mail.example.com. IN TLSA 3 1 1 <new-hash>- Wait for DNS propagation (at least 2x TTL)
- Deploy new certificate
- Remove old TLSA record (after old cert expires)
Automation
Consider automating TLSA updates with certificate management tools:
- Let's Encrypt with DANE plugins
- Certificate management systems with DNS API integration
Testing and Validation
Manual Testing
Check TLSA record:
dig TLSA _25._tcp.mail.example.com +shortTest with OpenSSL:
openssl s_client -connect mail.example.com:25 -starttls smtpOnline Validators
- Hardenize: Comprehensive email security test including DANE
- Internet.nl: Dutch internet standards test
- DANE SMTP Validator: Specialized DANE testing
Common Validation Errors
| Error | Cause | Solution |
|---|---|---|
| No TLSA record found | Record not published or wrong name | Verify record exists at correct location |
| DNSSEC validation failed | DNSSEC not configured or broken | Fix DNSSEC chain |
| Certificate mismatch | Hash doesn't match current cert | Update TLSA record with current hash |
| Usage/selector mismatch | Wrong TLSA parameters | Verify parameters match your setup |
DANE for Hosted Email
Google Workspace
Google publishes DANE records for their mail servers. As a Google Workspace user:
- You benefit from DANE when sending to DANE-enabled receivers
- You cannot publish TLSA records for Google's MX servers
Microsoft 365
Microsoft supports DANE verification when sending. For receiving:
- DANE support for Microsoft 365 custom domains is limited
- Check Microsoft documentation for current status
Other Providers
Check with your email provider for:
- DANE sending verification support
- DANE receiving (TLSA publishing) options
Best Practices
Do
✅ Deploy DNSSEC before DANE
✅ Use parameters 3 1 1 (DANE-EE, SPKI, SHA-256)
✅ Plan certificate rotation carefully
✅ Monitor DNSSEC validation status
✅ Test after any DNS or certificate changes
Don't
❌ Deploy DANE without DNSSEC
❌ Forget to update TLSA records before certificate rollover
❌ Use short TTLs that cause validation issues
❌ Ignore DANE validation failures in monitoring
MailShield and DANE
MailShield monitors your DANE configuration:
- TLSA record detection: Identifies published TLSA records
- Validation checks: Verifies DNSSEC and certificate matching
- Expiry monitoring: Alerts on upcoming certificate expirations
- Security scoring: DANE configuration contributes to your security score