📌 Introduction

As mentioned in the MTA-STS article, SMTP over TLS is vulnerable to downgrade and MITM attacks. MTA-STS improves security but still relies on HTTPS, CA certificates, and DNS TXT records, which may be intercepted or manipulated.

For environments requiring even stronger, cryptographically verifiable security, there is DANE (DNS-based Authentication of Named Entities).

DANE uses DNSSEC to authenticate TLS certificates directly from DNS records.

👉 It binds your TLS certificate to DNS
👉 It is cryptographically protected by DNSSEC
👉 MITM and certificate replacement become impossible

---

🔐 What Is DANE?

DANE is a protocol that uses DNSSEC-signed TLSA records to authenticate TLS certificates.

It ensures:

1. MX records cannot be spoofed
2. TLS certificates cannot be replaced
3. Attackers cannot downgrade encryption
4. Only certificates matching the TLSA record are accepted

Unlike MTA-STS, DANE does not rely on certificate authorities.
You can even use a self-signed certificate if it matches the TLSA record.

---

🧩 Requirements for DANE

1️⃣ DNSSEC must be enabled

Absolutely mandatory.

2️⃣ The MX hostname must also use DNSSEC

Example:

example.com       MX 10 mail.example.com
mail.example.com  A 192.168.1.10

Both labels must be DNSSEC-signed.

3️⃣ TLSA records must be published

Example:

_25._tcp.mail.example.com. TLSA 3 1 1 1A2B3C4D...

---

🔄 How DANE Works (SMTP Example)

1. Sender validates MX via DNSSEC
2. Sender fetches TLSA via DNSSEC
3. TLS handshake begins
4. TLS certificate is compared to TLSA
5. If mismatch → reject
6. If match → accept and deliver

DANE is strict: if TLSA exists, it must validate.

---

🆚 MTA-STS vs DANE Comparison

Feature	MTA-STS	DANE
Requires DNSSEC	No	Yes
Policy source	HTTPS	DNSSEC-signed TLSA
MITM protection	High	Very high
Certificate requirements	Public CA only	Self-signed OK
Deployment difficulty	Low	High
Supported by Google/Microsoft	Yes	No

Conclusion:

• DANE = Highest security
• MTA-STS = Most widely supported

Combined together:
👉 DANE (if available) + MTA-STS (fallback) = Best practice

---

🔧 TLSA Record Example

_25._tcp.mail.example.com. IN TLSA 3 1 1 (
  9A1CF293716A5C31A021341F89A91B77F17C93A2F4F6F7C6A2F9D4024B6EAE1D
)

Description:

• 3 → DANE-EE (End-Entity certificate)
• 1 → Cert (entire certificate)
• 1 → SHA-256
• Last line → Fingerprint

---

🏢 Who Supports DANE?

MTA	Support
Postfix	✔ Yes
Exim	✔ Yes
OpenSMTPD	✔ Yes
Gmail	❌ No
Microsoft 365	❌ No

DANE is widely used by EU governments, financial institutions, and high-security environments.

---

🎯 Conclusion

DANE provides the strongest email transport security available today by combining:

• DNSSEC integrity
• TLS certificate pinning
• Full MITM protection

Although deployment requires DNSSEC and additional operational effort, it provides unmatched protection.

If your organization manages its own Postfix/Dovecot infrastructure and can deploy DNSSEC, DANE combined with MTA-STS delivers the highest security posture for email transport.