DANE: DNSSEC-Based TLS Protection

Posted on by Rico

πŸ“Œ Introduction

As mentioned in the MTA-STS article, SMTP over TLS is vulnerable to downgrade and MITM attacks. MTA-STS improves security but still relies on HTTPS, CA certificates, and DNS TXT records, which may be intercepted or manipulated.

For environments requiring even stronger, cryptographically verifiable security, there is DANE (DNS-based Authentication of Named Entities).

DANE uses DNSSEC to authenticate TLS certificates directly from DNS records.

πŸ‘‰ It binds your TLS certificate to DNS
πŸ‘‰ It is cryptographically protected by DNSSEC
πŸ‘‰ MITM and certificate replacement become impossible

πŸ” What Is DANE?

DANE is a protocol that uses DNSSEC-signed TLSA records to authenticate TLS certificates.

It ensures:

  1. MX records cannot be spoofed
  2. TLS certificates cannot be replaced
  3. Attackers cannot downgrade encryption
  4. Only certificates matching the TLSA record are accepted

Unlike MTA-STS, DANE does not rely on certificate authorities.
You can even use a self-signed certificate if it matches the TLSA record.

🧩 Requirements for DANE

1️⃣ DNSSEC must be enabled

Absolutely mandatory.

2️⃣ The MX hostname must also use DNSSEC

Example:

example.com       MX 10 mail.example.com
mail.example.com  A 192.168.1.10

Both labels must be DNSSEC-signed.

3️⃣ TLSA records must be published

Example:

_25._tcp.mail.example.com. TLSA 3 1 1 1A2B3C4D...

πŸ”„ How DANE Works (SMTP Example)

  1. Sender validates MX via DNSSEC
  2. Sender fetches TLSA via DNSSEC
  3. TLS handshake begins
  4. TLS certificate is compared to TLSA
  5. If mismatch β†’ reject
  6. If match β†’ accept and deliver

DANE is strict: if TLSA exists, it must validate.

πŸ†š MTA-STS vs DANE Comparison

FeatureMTA-STSDANE
Requires DNSSECNoYes
Policy sourceHTTPSDNSSEC-signed TLSA
MITM protectionHighVery high
Certificate requirementsPublic CA onlySelf-signed OK
Deployment difficultyLowHigh
Supported by Google/MicrosoftYesNo

Conclusion:

  • DANE = Highest security
  • MTA-STS = Most widely supported

Combined together:
πŸ‘‰ DANE (if available) + MTA-STS (fallback) = Best practice

πŸ”§ TLSA Record Example

_25._tcp.mail.example.com. IN TLSA 3 1 1 (
  9A1CF293716A5C31A021341F89A91B77F17C93A2F4F6F7C6A2F9D4024B6EAE1D
)

Description:

  • 3 β†’ DANE-EE (End-Entity certificate)
  • 1 β†’ Cert (entire certificate)
  • 1 β†’ SHA-256
  • Last line β†’ Fingerprint

🏒 Who Supports DANE?

MTASupport
Postfixβœ” Yes
Eximβœ” Yes
OpenSMTPDβœ” Yes
Gmail❌ No
Microsoft 365❌ No

DANE is widely used by EU governments, financial institutions, and high-security environments.

🎯 Conclusion

DANE provides the strongest email transport security available today by combining:

  • DNSSEC integrity
  • TLS certificate pinning
  • Full MITM protection

Although deployment requires DNSSEC and additional operational effort, it provides unmatched protection.

If your organization manages its own Postfix/Dovecot infrastructure and can deploy DNSSEC, DANE combined with MTA-STS delivers the highest security posture for email transport.