DANE & DNSSEC
Cryptographic verification of mail server certificates. The strongest protection against man-in-the-middle attacks and DNS spoofing.
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. This prevents attackers from spoofing DNS responses and redirecting your email to malicious servers.
What is DANE?
DANE (DNS-based Authentication of Named Entities) uses DNSSEC-signed TLSA records to specify which TLS certificates are valid for your mail servers. This eliminates reliance on certificate authorities.
The strongest email protection
DANE and DNSSEC provide cryptographic guarantees that your email is delivered to the correct servers with valid certificates.
Without DANE/DNSSEC
- • DNS responses can be spoofed
- • Attackers can redirect email to fake servers
- • Certificate validation relies on CAs
- • Compromised CAs = compromised email
With DANE/DNSSEC
- • DNS responses are cryptographically signed
- • TLSA records specify valid certificates
- • No reliance on certificate authorities
- • End-to-end cryptographic verification
Comprehensive monitoring
DNSSEC Validation
We verify your DNSSEC chain is valid from root to your domain. Alerts when signatures expire or break.
TLSA Record Checks
Monitor your DANE TLSA records. We verify they match your actual mail server certificates.
Certificate Tracking
Get alerts before certificates expire so you can update TLSA records in advance.
Rollover Support
Guidance on safe DNSSEC key rollovers and TLSA record updates without breaking email.
Instant Alerts
Get notified immediately when DNSSEC validation fails or TLSA records don't match.
MS 365 Ready
Microsoft 365 supports DANE. We help you verify your organization is correctly configured.
Cryptographic email security
DANE & DNSSEC monitoring is included with Pro and Enterprise.