What is DANE and how does it use DNSSEC?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

DANE stands for DNS-Based Authentication of Named Entities, and it solves a real problem: how do you verify a mail server's TLS certificate without trusting a certificate authority (CA)? Traditional email relies on CAs to vouch for servers. But if a CA gets hacked or issues a fake cert, your email could be intercepted without you knowing. DANE removes that middleman.

Instead of asking a CA, DANE publishes certificate information directly in your DNS. You create special DNS records called TLSA records that say: "This is the certificate you should expect from my mail server." When another mail server connects to you, it can retrieve that record and verify your certificate against it. No CA required.

But here's the catch: DNS itself is vulnerable to attacks (spoofing, man-in-the-middle). That's where DNSSEC comes in. DNSSEC adds cryptographic signatures to DNS records. Every TLSA record you publish gets signed with your domain's private key. When another mail server retrieves your TLSA record, it verifies the signature with your public key (which is also in DNS). If the signature checks out, they know the record hasn't been tampered with.

Think of it this way: DANE is the certificate pinning strategy. DNSSEC is the lock that protects the pins. Together, they create a chain of trust that doesn't depend on certificate authorities. The downside is that DNSSEC support is still growing, and not every mail server or registrar has it enabled yet.

Ready to explore DANE for your domain? Start by checking if your DNS provider supports DNSSEC signing.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Learn to implement DANE

Explain the step-by-step process of how a sending server validates a receiving server's certificate using DANE and DNSSEC, including where DNSSEC validation occurs.

Edit the yellow boxes, then send to the AI of your choice.