What is DANE for SMTP?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you're sending important mail to a business partner, but you can't trust whether the mail server's identity is real. That's the problem DANE solves for email.
DANE (DNS Based Authentication of Named Entities) lets you publish your real TLS certificate information directly in your DNS records instead of relying on a certificate authority to vouch for you. It's like putting your official credentials in the public ledger so other mail servers can verify who you actually are.
Here's how it works. You publish a special DNS record called a TLSA record that says "these are the legitimate certificates for my mail server." When another server wants to send you mail, it checks that TLSA record (using DNSSEC to verify the record itself hasn't been tampered with) and compares it to the certificate the mail server presents. If they match, the connection is trusted. If not, the mail gets rejected.
DANE is especially popular in Europe and with government agencies that have the resources to manage DNSSEC (the security layer that protects DNS itself). Most large commercial email providers like Gmail, Outlook, and Yahoo haven't adopted DANE for inbound mail, so it's not widespread yet. But if you're in a security-focused industry or region, it's worth understanding.
Want to see the bigger picture. Check out how DANE prevents certificate attacks and compare it to the simpler MTA-STS alternative.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.