Why is DANE rarely used in commercial email?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've probably heard DANE mentioned as a better way to secure email delivery, so why isn't everyone using it? The short answer: DANE requires DNSSEC, and DNSSEC adoption is still incredibly low.
Here's the chain reaction. DANE relies on DNSSEC to verify that your TLSA records are legitimate. But DNSSEC isn't enabled by default on most domains (we're talking under 5% adoption). That means your domain's DNS records need to be cryptographically signed, which requires extra configuration, monitoring, and technical know-how. One misconfiguration and you can block your own email delivery.
The big email providers made a collective choice. Gmail, Microsoft, Mailchimp, Klaviyo, Brevo, and Mailgun all standardized on MTA-STS instead, which is simpler and doesn't require DNSSEC. That decision locked in MTA-STS as the industry standard. Academia and government agencies? They use DANE because they have the resources and DNSSEC infrastructure already in place. But for most commercial senders, the complexity isn't worth it.
Want to know what your domain actually supports? SPF Checker and other DMARC tools can show you which authentication protocols are live on your domain.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.