How does DANE compare to MTA-STS?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Both DANE and MTA-STS do the same job: they tell other mail servers to use TLS when connecting to you. But they go about it in completely different ways.
MTA-STS publishes a policy file on your HTTPS server. It says: "Use TLS, or don't send the message." Other servers download the policy, check it (since it's served over HTTPS), and enforce encryption. It trusts the same certificate authorities (CAs) your browser uses. This is simpler and works everywhere because all mail servers understand HTTPS.
DANE publishes certificate info directly in DNS via TLSA records, but those records are cryptographically signed with DNSSEC. This removes the dependency on certificate authorities. Instead of trusting a CA, you trust DNSSEC signatures. You're literally pinning your certificate in DNS.
Here's the trade-off: MTA-STS is easier to deploy and has broader adoption. You don't need DNSSEC (which still isn't everywhere). DANE is technically stronger because you're not trusting a CA, but it requires DNSSEC at your registrar, and not all mail servers support it yet. Many large senders use MTA-STS first, then layer DANE on top once DNSSEC is solid.
Not sure which fits your setup? We can help you figure out the right path.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.