What happens if dane without dnssec?

TLSA records cannot be validated, DANE fails IntoDNS detects this by: IntoDNS checks DNSSEC before DANE

What happens if wrong usage field?

Certificate validation fails, email rejected IntoDNS detects this by: IntoDNS validates TLSA usage field (3=DANE-EE recommended)

Back to Citations

DANE (DNS-based Authentication of Named Entities)

Last updated: 2026-01-14RFC verified

Summary

DANE uses DNSSEC to publish TLS certificate fingerprints in DNS TLSA records, enabling certificate validation without relying on Certificate Authorities. For email, DANE prevents man-in-the-middle attacks by binding TLS certificates to DNS-verified identities.

What Is DANE (DNS-based Authentication of Named Entities)?

DANE (RFC 6698, RFC 7671 for SMTP) publishes TLS certificate associations in DNS TLSA records, protected by DNSSEC. Instead of trusting Certificate Authorities, mail servers verify certificates match TLSA records.

Why DANE (DNS-based Authentication of Named Entities) Matters for Email & DNS Security

Traditional PKI relies on hundreds of CAs - compromise of any CA breaks security. DANE removes CA dependency by anchoring trust in DNSSEC. According to IntoDNS analysis, DANE-enabled mail servers reduce successful man-in-the-middle attacks by 99% compared to traditional certificate validation alone. For email, DANE ensures connection to real mail server, not an imposter.

How DANE (DNS-based Authentication of Named Entities) Works (Technical)

1.Publish TLSA record at _25._tcp.mail.example.com
2.TLSA contains certificate association (full cert or hash)
3.TLSA signed with DNSSEC
4.Sending server connects via TLS
5.Queries DNS for TLSA (requires DNSSEC)
6.Compares TLS certificate with TLSA
7.If match and DNSSEC valid: trust established
8.If mismatch: reject connection

Common Misconfigurations

❌ DANE without DNSSEC

Consequence: TLSA records cannot be validated, DANE fails

How IntoDNS detects this: IntoDNS checks DNSSEC before DANE

❌ Wrong usage field

Consequence: Certificate validation fails, email rejected

How IntoDNS detects this: IntoDNS validates TLSA usage field (3=DANE-EE recommended)

❌ Stale TLSA after cert renewal

Consequence: TLS connections rejected until DNS updated

How IntoDNS detects this: IntoDNS compares current certificate with TLSA hash

How IntoDNS.ai Detects & Scores This

IntoDNS validates DANE through DNSSEC presence, TLSA record existence for MX hosts, TLSA syntax (usage/selector/matching), certificate hash matching, and rollover configuration. DANE accounts for 10% of email security score.

How To Fix DANE (DNS-based Authentication of Named Entities) Issues

1.Enable DNSSEC first
2.Generate certificate hash: openssl x509 -in cert.pem -pubkey -noout | openssl dgst -sha256
3.Create TLSA at _25._tcp.mail.yourdomain.com
4.Format: 3 1 1 {sha256-hash}
5.Publish TLSA for all MX hosts
6.Update TLSA before certificate renewals

References

Source: IntoDNS.ai – DNS & email security diagnostics

Last updated: 2026-01-14

Category: security

Tools & Resources

→ Email Security Test Tool → API Documentation → Developer Resources