What are TLSA records?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you're a mail server trying to send a message to another domain. You want to know: is that server really who it claims to be? Traditionally, you'd ask a certificate authority (a trusted third party) to verify. But what if you didn't have to trust a third party at all? That's where DANE comes in, and TLSA records are the foundation.

A TLSA record is a DNS entry that says: "Here's the certificate (or CA certificate) you should expect from my mail server." Instead of relying on external authorities, you publish the certificate details directly in your DNS. The record lives at a specific location: `_25._tcp.mail.yourdomain.com` (where 25 is the SMTP port and tcp is the protocol). It contains four pieces of information: usage (what the cert is for), selector (which cert), matching-type (how to verify it), and the actual certificate data.

When another mail server connects to you, it retrieves your TLSA record via DNSSEC (which cryptographically protects the DNS data). It then compares your actual TLS certificate against what the TLSA record says. If they match, the server knows you're legitimate. If they don't, the connection can be rejected.

TLSA records are the piece that makes DANE work for SMTP authentication.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Learn to set up TLSA for your domain

Walk through how to create and publish a TLSA record for an email domain, including the format, DNS location, and verification steps.

Edit the yellow boxes, then send to the AI of your choice.