What is DANE and how does it relate to MTA-STS?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You're sending email, and a bad actor on the network intercepts it. They tell your server "hey, don't use TLS encryption, let's just send this in plain text." Your server agrees, and suddenly your message travels unencrypted. This is a TLS downgrade attack, and it's the reason DANE and MTA-STS exist.

DANE and MTA-STS both protect against downgrade attacks, but they solve the problem differently. Think of it like two different security systems for the same door.

DANE (DNS-based Authentication of Named Entities) publishes your email server's TLS certificate information in DNS records called TLSA records. The catch: these records require DNSSEC, which cryptographically signs your DNS responses to prevent tampering. If a receiving server has DNSSEC validation enabled, it can verify that your certificate is legitimate by checking DNS. It's more cryptographically rigorous but requires the entire DNS chain to support DNSSEC. Many domains haven't deployed DNSSEC yet, which limits DANE adoption.

MTA-STS takes a different approach. Instead of publishing certificate info in DNS, it creates a plain text policy file and serves it over HTTPS at a well-known URL on your domain. That policy tells receiving servers: "Don't accept unencrypted connections from me. Only use valid TLS certificates signed by a real certificate authority." Because it relies on HTTPS (which is everywhere), MTA-STS has seen much wider adoption. Major platforms like Gmail support both standards.

The practical difference matters. DANE verifies the exact certificate your server uses; MTA-STS just requires any valid certificate. DANE is stricter and more cryptographic. MTA-STS is easier to deploy. Both prevent downgrade attacks; they just take different routes to get there. If you manage your own mail infrastructure, implementing MTA-STS is usually the better starting point. You can add DANE later if you've got DNSSEC support.

So Your next step is to check whether your current mail infrastructure supports MTA-STS. You can validate your setup with our MTA-STS checker.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Understand DANE and MTA-STS for advanced email security.

I keep hearing about DANE and MTA-STS, and I'm confused whether they do the same thing. Can you explain what each one does, how they're different, why both exist, and which one I should be focusing on for my infrastructure?

Edit the yellow boxes, then send to the AI of your choice.