How does DANE improve email security?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Here's the core problem DANE solves: when you send email, the receiving server trusts whoever issues the TLS certificate. But what if a certificate authority gets hacked or coerced into issuing a fake certificate? You'd never know the connection was compromised. DANE fixes that by removing the middleman.

Instead of trusting a certificate authority, DANE lets you publish your actual certificate fingerprint in DNS. When another server connects, it checks that fingerprint against what DNS says it should be. If it matches, the connection is legitimate. If someone tries to use a different certificate (even one issued by a trusted CA), the connection fails. That's called certificate pinning, and it's way stronger than trusting CAs alone.

But DNS itself can be attacked, right. That's where DNSSEC comes in. It cryptographically signs your DNS records so attackers can't forge fake TLSA records. They'd need your private DNS key to pull that off, which is locked down on your authoritative DNS servers. The chain is: your DNS key. The TLSA record. The TLS certificate. Attack any part of that chain and the connection fails safely instead of silently falling back to an insecure connection.

This is especially powerful against rogue certificate authorities or nation-state actors who might pressure a CA into issuing certificates they shouldn't. With DANE, you're in control. The certificate has to match what you published in DNS, period.

That said, DANE only protects the connection between mail servers, not your local authentication. You still need SPF, DKIM, and DMARC to prevent spoofing. And most major mailbox providers don't support DANE for inbound yet, so it's primarily useful if you control both sides of the connection. Ready to explore. Learn more about whether DANE is worth implementing in your region.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a security assessment for your specific threat model.

I read that DANE prevents rogue CAs from issuing fake certificates for my domain. Help me understand the security implications for MY setup: 1. What specific threats does DANE protect against 2. What threats doesn't DANE protect against 3. What's the cost/benefit analysis for my organization 4. If I implement DANE incorrectly, what breaks 5. Do I actually need DANE or is SPF/DKIM/DMARC enough My details: - Organization type: SaaS, government, finance, nonprofit, other - Threat model: [commodity spam, targeted phishing, nation-state actors, other] - Current authentication: SPF/DKIM/DMARC status and policy - Mail volume and recipient mix: mostly B2B, B2C, internal, mixed - DNSSEC capability: already enabled, could enable, not possible

Edit the yellow boxes, then send to the AI of your choice.