What are TLSA records?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you're a mail server trying to send a message to another domain. You want to know: is that server really who it claims to be? Traditionally, you'd ask a certificate authority (a trusted third party) to verify. But what if you didn't have to trust a third party at all? That's where DANE comes in, and TLSA records are the foundation.
A TLSA record is a DNS entry that says: "Here's the certificate (or CA certificate) you should expect from my mail server." Instead of relying on external authorities, you publish the certificate details directly in your DNS. The record lives at a specific location: `_25._tcp.mail.yourdomain.com` (where 25 is the SMTP port and tcp is the protocol). It contains four pieces of information: usage (what the cert is for), selector (which cert), matching-type (how to verify it), and the actual certificate data.
When another mail server connects to you, it retrieves your TLSA record via DNSSEC (which cryptographically protects the DNS data). It then compares your actual TLS certificate against what the TLSA record says. If they match, the server knows you're legitimate. If they don't, the connection can be rejected.
TLSA records are the piece that makes DANE work for SMTP authentication.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.