DANE & TLSA
Cryptographically verify mail server certificates via DNSSEC-protected DNS.
DANE (DNS-based Authentication of Named Entities) uses DNSSEC to publish TLS certificate information in DNS. It provides stronger security than MTA-STS by cryptographically binding certificates to domain names.
DANE Requires DNSSEC
DANE only works if your domain has DNSSEC enabled. Without DNSSEC, DANE records can be spoofed. See the DNSSEC section for setup instructions.
How DANE Works
- Enable DNSSEC for your domain
- Publish TLSA records containing certificate data
- Sending servers look up your TLSA records via DNSSEC
- They verify the mail server's certificate matches the TLSA record
- If it matches, the connection is trusted; if not, it's rejected
TLSA Record Structure
# TLSA record location _port._protocol.hostname _25._tcp.mail.example.com # TLSA record format Usage Selector MatchingType CertificateData # Example TLSA record _25._tcp.mail.example.com. IN TLSA 3 1 1 \ ab2c3d4e5f6... # Fields explained: # Usage (0-3): # 0 = CA constraint # 1 = Service certificate constraint # 2 = Trust anchor assertion # 3 = Domain-issued certificate (most common for email) # Selector (0-1): # 0 = Full certificate # 1 = SubjectPublicKeyInfo only (recommended) # MatchingType (0-2): # 0 = Exact match (full data) # 1 = SHA-256 hash (recommended) # 2 = SHA-512 hash
Recommended TLSA Settings
| Setting | Value | Reason |
|---|---|---|
| Usage | 3 | Domain-issued cert, no CA validation needed |
| Selector | 1 | Public key only, survives cert renewal |
| MatchingType | 1 | SHA-256 hash, widely supported |
Generating TLSA Records
# Generate TLSA record from certificate (Linux/macOS) # Usage=3, Selector=1, MatchingType=1 (recommended settings) # From a certificate file openssl x509 -in certificate.crt -pubkey -noout | \ openssl pkey -pubin -outform DER | \ openssl dgst -sha256 -binary | \ xxd -p -c 256 # From a live server echo | openssl s_client -connect mail.example.com:25 -starttls smtp 2>/dev/null | \ openssl x509 -pubkey -noout | \ openssl pkey -pubin -outform DER | \ openssl dgst -sha256 -binary | \ xxd -p -c 256
DANE on Microsoft 365
Microsoft 365 supports inbound DANE for custom domains. Here's how to enable it:
Prerequisites
- DNSSEC must be enabled for your domain
- Your DNS provider must support TLSA records
- Exchange Online PowerShell module installed
PowerShell Configuration
# Connect to Exchange Online Install-Module -Name ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName admin@example.com # Check current DNSSEC and DANE status Get-AcceptedDomain -Identity example.com | Format-List \ DomainName, DnssecEnabled, DaneEnabled # Enable DNSSEC for inbound mail Set-AcceptedDomain -Identity example.com -DnssecEnabled $true # Enable DANE for inbound mail Set-AcceptedDomain -Identity example.com -DaneEnabled $true # Verify the configuration Get-AcceptedDomain -Identity example.com | Format-List \ DomainName, DnssecEnabled, DaneEnabled # Get the CNAME targets for TLSA records Get-DnssecStatusForVerifiedDomain -DomainName example.com
DNS Records for Microsoft 365 DANE
# Create CNAME records pointing to Microsoft's TLSA records # Microsoft manages the actual TLSA data and rotates certificates # For your primary MX _25._tcp.example-com.mail.protection.outlook.com CNAME \ _25._tcp.example-com.o365dane.protection.outlook.com
Why CNAME for TLSA?
Microsoft rotates certificates regularly. Using CNAME records pointing to Microsoft's TLSA targets means you don't need to update TLSA records when certificates change—Microsoft handles it automatically.
DANE vs MTA-STS
| Aspect | DANE | MTA-STS |
|---|---|---|
| Requires DNSSEC | Yes (mandatory) | No |
| Requires HTTPS | No | Yes (policy hosting) |
| Security level | Higher (crypto-bound) | Good (HTTPS trust) |
| Adoption | Lower (DNSSEC barrier) | Higher (easier setup) |