How will MTA-STS and DANE evolve?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Before getting into the future, it helps to understand what these two protocols actually do today. Both MTA-STS and DANE are about one thing: making sure email travels between servers over an encrypted TLS connection and can't be downgraded to plain text by an attacker in the middle.
MTA-STS does this by publishing a policy file on your web server that says "only connect to my mail server if you can verify a valid TLS certificate." DANE does something similar but anchors the certificate check to DNSSEC rather than the public certificate authority system. They solve the same problem with different technical trade-offs.
Where are they going? Wider adoption is the main trend. Major providers already support MTA-STS. As more receiving servers enforce it, senders without encryption will start to see delivery friction. It won't be overnight, but the direction is clear: unencrypted or unverified mail will be treated as lower trust.
DANE is technically stronger but requires DNSSEC, which many organizations still haven't deployed. That dependency slows adoption. MTA-STS is easier to implement and doesn't require DNSSEC, so it'll likely see faster uptake in the near term.
For most senders today, the practical step is checking whether your outbound mail server supports TLS and whether your receiving infrastructure is configured for MTA-STS. Our free Review My Emails MTA-STS checker can tell you where you stand in about 30 seconds. If you want to go deeper on how MTA-STS works or what DANE actually does, both have their own explanations in the almanac.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.