DANE/TLSA Check

Validate DANE (DNS-Based Authentication of Named Entities) configuration for a domain's mail servers.

DANE uses TLSA records to pin TLS certificates in DNS, secured by DNSSEC. This provides cryptographic verification that mail servers are presenting the expected certificates.

What is DANE?

DANE (DNS-Based Authentication of Named Entities) is a protocol that allows:

Certificate Pinning: Pin TLS certificates directly in DNS via TLSA records
DNSSEC Protection: TLSA records are authenticated by DNSSEC, preventing spoofing
Alternative Trust Model: Works alongside or instead of traditional CA trust

TLSA Record Format

DNS Location: TLSA record at _25._tcp.{mx_hostname}
Record Fields:
- Usage (0-3): How to use the certificate data
  - 0 PKIX-TA: CA constraint
  - 1 PKIX-EE: End entity constraint
  - 2 DANE-TA: Trust anchor
  - 3 DANE-EE: End entity (most common)
- Selector (0-1): What to match
  - 0 Full certificate
  - 1 SubjectPublicKeyInfo (SPKI)
- Matching Type (0-2): How to match
  - 0 Exact match
  - 1 SHA-256 hash
  - 2 SHA-512 hash
Example: 3 1 1 abc123... (DANE-EE, SPKI, SHA-256)

DANE Requirements

DNSSEC: Domain must have DNSSEC enabled and validated
MX Records: TLSA records must exist for each MX server
TLS Support: Mail servers must support STARTTLS

Related Tools

MTA-STS Check - Alternative TLS enforcement mechanism
TLS-RPT Check - Receive TLS failure reports
MX Lookup - Find mail servers for a domain
SMTP Check - Test mail server TLS

My Certificates

DANE/TLSA Check

What is DANE?

TLSA Record Format

DANE Requirements

Related Tools