How does DANE interact with MTA-STS?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've set up TLS encryption for your domain, but now you're wondering if DANE and MTA-STS can work together. Here's the thing: they're solving the same problem (secure TLS delivery) but in completely different ways.

DANE uses DNSSEC to publish cryptographic details about your TLS certificate directly in DNS (via TLSA records). MTA-STS publishes a policy file on your web server saying "hey, I require TLS, here's my certificate info." Different approaches, same goal.

If a sending server supports both and your domain has both DANE and MTA-STS published, it'll check for DANE first. That's because DANE is more specific and cryptographically stronger (it's tied to your domain's DNSSEC setup). If DANE validation fails or you don't have a valid TLSA record, it'll fall back and check for MTA-STS instead.

So In practice though, most senders pick one or the other. Gmail and Microsoft favor MTA-STS. European providers tend to prefer DANE. It's rare you'll see both working side-by-side because it creates unnecessary complexity. Your best move: pick whichever your hosting provider supports best, or stick with MTA-STS if you're unsure (it's simpler to deploy). See also: how DANE works with DNSSEC.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Check DANE vs MTA-STS

Compare DANE and MTA-STS: What's the difference, which takes priority in delivery, and which should I implement first?

Edit the yellow boxes, then send to the AI of your choice.