Is DANE widely adopted for email?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Not really. DANE sounds great on paper, but there's a fundamental problem holding it back: DNSSEC adoption is stuck at around 3-5% globally. You can't use DANE without DNSSEC, and most domain owners either don't know about DNSSEC or are scared to implement it (misconfiguring it can actually break email completely).

The bigger issue is that the major mailbox providers haven't chosen DANE. Gmail, Outlook, and Yahoo all went with MTA-STS instead because it's simpler to deploy (no DNSSEC required) and equally effective for most senders. When the biggest inbox providers don't support DANE for inbound mail, there's not much incentive to implement it on your side. Where you'll see DANE is in Europe (especially Germany and the Netherlands, which have stronger DNSSEC infrastructure), among government agencies that have dedicated security teams, and in financial institutions where certificate pinning is worth the operational complexity. Posteo, Tutanota, and mailbox.org use it. But they're the exception.

The takeaway: if you're a regular email sender, DANE probably isn't for you right now. If you're in Europe or a high-security industry and your DNS provider fully supports DNSSEC, it's worth evaluating. But for most of us, MTA-STS is the simpler, more practical choice. Want to see the comparison side by side. Check out MTA-STS vs DANE: which is right for you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Find out what authentication to prioritize for your situation.

I want to know if DANE is worth setting up for MY domain. Help me figure out if I should implement it: 1. Is DANE the right choice for my organization 2. What's the realistic maintenance burden if I do implement it 3. What's the upside if DANE breaks vs if MTA-STS breaks 4. Do my key mailbox providers even support DANE inbound 5. What should I do first instead of DANE My details: - Organization: nonprofit, startup, enterprise, government, other - Location: US, EU, Asia, other - Current mail security: SPF/DKIM/DMARC status - DNS provider: Cloudflare, Route53, registrar, other - Ops team size: how many people manage your DNS/email - Primary concern: deliverability, security, compliance, other

Edit the yellow boxes, then send to the AI of your choice.