What is DANE for SMTP?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you're sending important mail to a business partner, but you can't trust whether the mail server's identity is real. That's the problem DANE solves for email.

DANE (DNS Based Authentication of Named Entities) lets you publish your real TLS certificate information directly in your DNS records instead of relying on a certificate authority to vouch for you. It's like putting your official credentials in the public ledger so other mail servers can verify who you actually are.

Here's how it works. You publish a special DNS record called a TLSA record that says "these are the legitimate certificates for my mail server." When another server wants to send you mail, it checks that TLSA record (using DNSSEC to verify the record itself hasn't been tampered with) and compares it to the certificate the mail server presents. If they match, the connection is trusted. If not, the mail gets rejected.

DANE is especially popular in Europe and with government agencies that have the resources to manage DNSSEC (the security layer that protects DNS itself). Most large commercial email providers like Gmail, Outlook, and Yahoo haven't adopted DANE for inbound mail, so it's not widespread yet. But if you're in a security-focused industry or region, it's worth understanding.

Want to see the bigger picture. Check out how DANE prevents certificate attacks and compare it to the simpler MTA-STS alternative.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

See if DANE makes sense for your setup.

I just learned that DANE publishes certificate info in DNS records. Help me understand how this applies to MY specific situation: 1. Does my email setup need DANE right now 2. What would I need to do to implement it 3. What's the difference between DANE and MTA-STS for my use case 4. What could go wrong if I set it up incorrectly 5. Who should actually be using DANE vs everyone else My details: - Email platform/ESP: SendGrid, Postmark, AWS SES, etc. - Domain(s): your sending domain - Location/industry: US-based, EU-based, government, finance, other - Current mail security: SPF/DKIM/DMARC status - DNS provider: Cloudflare, Route53, registrar, other - DNSSEC enabled: yes/no/unsure

Edit the yellow boxes, then send to the AI of your choice.