Is DANE widely adopted for email?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Not really. DANE sounds great on paper, but there's a fundamental problem holding it back: DNSSEC adoption is stuck at around 3-5% globally. You can't use DANE without DNSSEC, and most domain owners either don't know about DNSSEC or are scared to implement it (misconfiguring it can actually break email completely).
The bigger issue is that the major mailbox providers haven't chosen DANE. Gmail, Outlook, and Yahoo all went with MTA-STS instead because it's simpler to deploy (no DNSSEC required) and equally effective for most senders. When the biggest inbox providers don't support DANE for inbound mail, there's not much incentive to implement it on your side. Where you'll see DANE is in Europe (especially Germany and the Netherlands, which have stronger DNSSEC infrastructure), among government agencies that have dedicated security teams, and in financial institutions where certificate pinning is worth the operational complexity. Posteo, Tutanota, and mailbox.org use it. But they're the exception.
The takeaway: if you're a regular email sender, DANE probably isn't for you right now. If you're in Europe or a high-security industry and your DNS provider fully supports DNSSEC, it's worth evaluating. But for most of us, MTA-STS is the simpler, more practical choice. Want to see the comparison side by side. Check out MTA-STS vs DANE: which is right for you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.