--- title: "DANE Email Authentication: Why 0.0% of Domains Use It" description: "DANE binds TLS certificates to DNS via DNSSEC — but only 30 of 5.5M scanned domains use it. Inside RFC 7672, TLSA records, NIS2, and DANE vs MTA-STS." publishedAt: 2026-05-01 tags: ["dane", "tlsa", "dnssec", "mta-sts", "tls-rpt", "email-authentication", "nis2"] faq: - question: "What is DANE in email?" answer: "DANE in email is DNS-Based Authentication of Named Entities for SMTP, defined in RFC 7672. A receiving domain publishes a DNSSEC-signed TLSA record at _25._tcp., and a DANE-aware sending mail server uses that record to verify the receiver's TLS certificate before delivering. If the certificate doesn't match, the sender refuses to deliver in plaintext — closing the STARTTLS-stripping attack class." - question: "Does DANE require DNSSEC?" answer: "Yes. RFC 7672 §2 requires conforming MTAs to ignore TLSA records that aren't authenticated by DNSSEC, because an attacker who can forge DNS can also forge an unsigned TLSA. You must DNSSEC-sign your zone and publish a matching DS record at your registrar before DANE provides any security benefit. No DNSSEC means no DANE — there is no workaround." - question: "What is the difference between DANE and MTA-STS?" answer: "DANE pins TLS certificates in DNS via DNSSEC; MTA-STS publishes a policy over HTTPS plus a versioning TXT record. DANE is cryptographically stronger and supports self-signed certs (DANE-EE, usage 3), but requires DNSSEC and TLSA-capable DNS hosting. MTA-STS works on any DNS host with HTTPS but inherits Web PKI risk. Most operators deploy MTA-STS first and add DANE when the DNSSEC stack is ready." - question: "How do I check or generate a TLSA record?" answer: "Use DMARCguard's DANE checker at /tools/dane-checker/ for live validation (it does the DNSSEC walk and TLSA match for you), or the DANE record generator at /tools/dane-generator/ to compute the 3 1 1 from a PEM certificate. On the command line: openssl x509 -pubkey -noout -in cert.pem | openssl pkey -pubin -outform DER | sha256sum." - question: "Is DANE called something different in English?" answer: "Yes — DANE stands for DNS-Based Authentication of Named Entities and refers to the IETF protocol defined by RFC 6698 (TLSA) and RFC 7672 (SMTP). The dictionary word 'Dane' (a person from Denmark) is unrelated. This post covers the protocol; if you wanted the demonym, you wanted Merriam-Webster, not DMARCguard." - question: "Why is DANE adoption near zero?" answer: "DANE adoption sits at 0.0% (30 of 5.5M domains in our Feb 2026 scan) because it requires three independent things to work: a DNSSEC-signed zone, a DNS host that exposes TLSA records, and a registrar that publishes DS records (ideally via CDS/CDNSKEY automation). GoDaddy, Namecheap Free, Vercel, Netlify, and Hetzner Console all break the chain at one step or another. Big mailbox providers (Gmail, Yahoo, iCloud) also don't publish TLSA, so most senders see no upside." --- # DANE Email Authentication: How DNS-Based TLS Pinning Stops STARTTLS Stripping (and Why 0.0% of Domains Use It) Of 5,499,028 domains we scanned in February 2026, exactly 30 publish a TLSA record for SMTP. That's **0.0% adoption** — the rarest email-authentication protocol in production today, by an order of magnitude (DMARCguard scan, Feb 2026; see our [2026 email authentication adoption study](/research/email-authentication/) for methodology). DANE email authentication (DNS-Based Authentication of Named Entities, RFC 7672) is supposed to fix STARTTLS stripping — the attack class where on-path middleboxes silently downgrade encrypted SMTP to plaintext — yet the deployment numbers say almost nobody uses it. The attack itself is real and well-documented. Durumeric and colleagues observed 41,405 SMTP servers across 193 countries corrupting STARTTLS in 2015, and the worst-affected ISPs forced **96% of inbound mail from Tunisia to Gmail to cleartext** for over a year (IMC 2015, [doi.org/10.1145/2815675.2815695](https://dl.acm.org/doi/10.1145/2815675.2815695)). A decade later, the most directly comparable independent measurement — TU Dresden's 4-million-domain Tranco scan (Tehrani et al., [TMA 2024](https://arxiv.org/html/2407.02287)) — corroborates our 0.0% finding: they measured 0.1% TLSA presence, with DNSSEC adoption itself sitting at roughly 5% of the same dataset. This post explains what DANE actually is, why its adoption is a rounding error, exactly how it stops the STARTTLS-stripping attack class, and how to decide whether you should deploy it on your domain — or pick MTA-STS instead. The TLSA mechanics are covered exhaustively in our [comprehensive DANE protocol guide](/learn/dane/); this post is the strategy layer. ## What Is DANE? (DNS-Based Authentication of Named Entities) DANE is an IETF protocol that binds a TLS certificate (or its public-key hash) to a DNS hostname using a DNSSEC-signed `TLSA` record. For email, the DANE-for-SMTP profile in [RFC 7672](https://datatracker.ietf.org/doc/html/rfc7672) lets a sending mail server verify the receiver's certificate before delivering — without depending on the public Web PKI and its hundreds of trusted certificate authorities. Two RFCs do the heavy lifting. [RFC 6698](https://datatracker.ietf.org/doc/html/rfc6698) defines the TLSA record format itself — the DNS data type and the four numeric fields it carries. RFC 7672 specifies how SMTP MTAs use those records to authenticate STARTTLS: when to look up TLSA, what to do on a match, and what to do on a mismatch. Together, they define a working DANE protocol stack for mail-server-to-mail-server traffic on port 25. The model is **certificate pinning via DNS**. The receiving domain publishes the fingerprint of its server certificate (or the certificate of a private CA that signed it) as a TLSA record. A DANE-aware sender does that DNS lookup before STARTTLS, then refuses to deliver in plaintext if the served certificate doesn't match. RFC 7672 §1.3.1 frames the motivation bluntly: "The server's indication of TLS support can be easily suppressed by an MITM attacker. Thus pre-DANE SMTP TLS security can be subverted by simply downgrading a connection to cleartext. No TLS security feature, such as the use of PKIX, can prevent this. The attacker can simply disable TLS." DANE closes that gap by making TLS support a DNSSEC-signed mandate rather than a hint inside the SMTP greeting.
## The 0.0% Problem — Why Almost Nobody Runs DANE The adoption gap is not subtle. Three independent measurements all point in the same direction. - **DMARCguard scan, Feb 2026**: 30 of 5,499,028 Tranco-derived domains publish a valid TLSA record for SMTP — 0.0005%. - **TU Dresden, TMA 2024**: 0.1% TLSA presence on a ~4-million-domain Tranco subset, with DNSSEC adoption at roughly 5% of the same set ([Tehrani et al., arXiv 2407.02287](https://arxiv.org/html/2407.02287), early-2024 scan). - **Viktor Dukhovni's continuous SMTP DANE survey** counts roughly 3.95 million DANE-enabled mail domains globally, but the absolute count is concentrated in `.nl`, `.se`, and `.cz` plus a small number of bulk-enabling hosters such as One.com, TransIP, and Argeweb. Four structural blockers explain almost all of the gap, and none of them are about the protocol itself. 1. **DNSSEC is the prerequisite.** No DNSSEC, no DANE — and DNSSEC adoption itself sits at roughly 5–7% of authoritative zones globally. SIDN's editorial "[None of the biggest internet services are DNSSEC-enabled](https://www.sidn.nl/en/news-and-blogs/none-of-the-biggest-internet-services-are-dnssec-enabled)" (28 Jan 2025) frames the structural problem precisely. 2. **DNS-host gaps.** GoDaddy DNS, Namecheap Free DNS, Vercel managed DNS, Netlify DNS, and Hurricane Electric (`dns.he.net`) cannot publish TLSA records at all — the record type is simply missing from their UI and API. Hetzner DNS Console does expose TLSA, but the platform refuses to sign zones; records publish but are cryptographically inert and produce silent DANE failures. 3. **Registrar gaps.** Only Cloudflare Registrar publicly automates the DS handoff via [RFC 7344](https://datatracker.ietf.org/doc/html/rfc7344) / [RFC 8078](https://datatracker.ietf.org/doc/html/rfc8078) CDS/CDNSKEY scanning. Every other deployer copies DS digests between two web UIs at every key rollover. Lee et al. (USENIX Security 2022) measured **30% of DNSSEC-signed `.com`/`.org`/`.net` domains with missing DS records at the registrar** — the registrar handoff is where deployments die. 4. **Big-mailbox holdouts.** Gmail and Google Workspace publish no TLSA records (they enforce MTA-STS only). Fastmail explicitly does not support DNSSEC. Yahoo, Apple iCloud, Zoho, and mxroute all show no public TLSA presence. Only Microsoft 365 (with [inbound SMTP DANE GA on 28 Oct 2024](https://techcommunity.microsoft.com/blog/exchange/announcing-general-availability-of-inbound-smtp-dane-with-dnssec-for-exchange-on/4281292)), Proton Mail, Posteo, and Mailbox.org commit to DANE for major mailbox volume. DANE email security only delivers value when both ends of the pipe agree to use it — and outside the Dutch and German ecosystems, almost nobody does. | DNS host | TLSA in UI/API | DNSSEC | Deployable for DANE | | ------------------- | -------------- | ----------------- | ------------------- | | Cloudflare DNS | Yes | Yes (automatic) | Yes | | AWS Route 53 | Yes | Yes | Yes | | Google Cloud DNS | Yes | Yes | Yes | | Azure DNS | Yes | Yes | Yes | | deSEC | Yes | Yes (always-on) | Yes | | Bunny DNS | Yes | Yes | Yes | | OVHcloud DNS | Yes | Yes | Yes | | GoDaddy DNS | No | Yes | No | | Namecheap Free DNS | No | Partial | No | | Vercel managed DNS | No | No | No | | Netlify DNS | No | No | No | | Hurricane Electric | No | No | No | | Hetzner DNS Console | Yes | No | No (silent fail) | Source: provider documentation, accessed 2026-04-28. ## How DANE Stops STARTTLS Stripping The attack pattern DANE for SMTP defeats is straightforward. Without DANE, a sending MTA opens an SMTP connection on port 25, parses the `EHLO` response for a `STARTTLS` capability, and falls back to plaintext if it doesn't see one. An on-path middlebox that quietly rewrites the `STARTTLS` advertisement to a same-length garbage token like `XXXXXXX` causes the legitimate sender to negotiate cleartext with no warning. The message ships in the open. With DANE deployed, the lookup happens before the SMTP transaction. A DNSSEC-validated TLSA record is a binding mandate to use TLS — suppressing the `STARTTLS` capability from `EHLO` no longer works because the sender already has signed proof that the receiver supports TLS. The downgrade attempt converts into a hard delivery deferral: the message stays in the queue until the network path stops tampering, rather than leaking in plaintext. Three documented incidents anchor the threat: - **Cricket / AIO Wireless, 2013–Oct 2014**: AT&T-owned US prepaid carrier rewrote STARTTLS advertisements on port 25 (classic Cisco PIX/ASA `inspect esmtp` "fixup"). Discovered by Golden Frog engineers and filed with the FCC's 14-28 Open Internet Proceeding ([EFF coverage](https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks)). - **Durumeric et al., IMC 2015**: 41,405 SMTP servers across 4,714 ASes and 193 countries corrupting STARTTLS; seven countries had >20% of inbound Gmail forced to cleartext; **Tunisia peaked at 96%**. - **Thai ISPs, September 2014**: a transparent proxy in front of `smtp.gmail.com:25` captured AUTH credentials by suppressing TLS on the EHLO response. DANE would have blocked the second pattern outright — the canonical case RFC 7672 was designed to defeat. The first and third are partly out of scope: both involved user submission, and DANE for SMTP covers only MTA-to-MTA on port 25. The fix for user submission is implicit TLS on 465 or 587 with strict certificate validation. Honesty about scope matters. **DANE is not a universal STARTTLS-stripping cure.** USENIX Security 2021's "[Why TLS is better without STARTTLS](https://www.usenix.org/system/files/sec21-poddebniak.pdf)" (Poddebniak et al.) showed that in-band buffering injection bugs survive DANE entirely — the attacker's plaintext is pre-loaded before the TLS handshake and consumed inside the validated session. CVE-2021-38371 (Exim) and CVE-2011-0411 (Postfix) are textbook examples. DANE binds the certificate; it cannot police what the receiver buffered before the cipher started. - **In-band STARTTLS injection** (CVE-2021-38371 Exim, CVE-2021-33515 Dovecot, CVE-2011-0411 Postfix). The attacker stuffs commands ahead of the TLS handshake; the legitimate certificate still validates. - **User submission on ports 465 / 587.** RFC 7672 covers MTA-to-MTA on port 25 only. Use implicit TLS with strict certificate validation for submission. - **Compromised certificates pinned by mistake.** Rotating to a new key without rotating the TLSA record produces hard delivery deferrals, not security. ## Why DANE Requires DNSSEC (and What That Costs) The DANE DNSSEC dependency is not an implementation accident. It is the cryptographic foundation that makes the protocol meaningful. The argument is simple. Without DNSSEC, an attacker who can spoof DNS responses can also spoof your TLSA record — forging a valid pin for a certificate they themselves control. The TLSA pin is then worse than no pin at all, because the sender will trust it. Conforming MTAs are required by RFC 7672 §2 to ignore unsigned TLSA responses for exactly this reason. **No DNSSEC, no DANE, no exceptions.** Every link in the deployment chain has to hold: 1. **Authoritative DNS host signs your zone.** Most major hosts (Cloudflare, Route 53, Google Cloud DNS, Azure DNS, deSEC, Bunny) automate this; some (Hetzner, Vercel, Netlify, Hurricane Electric) cannot. 2. **Registrar publishes the matching DS record at the parent TLD.** This is where most deployments break. Lee et al. (USENIX 2022) measured the failure rate at 30% of DNSSEC-signed second-level domains in `.com`/`.org`/`.net`. 3. **Mail server presents a certificate that matches the TLSA hash.** Whatever you pinned has to be served on port 25, exactly. 4. **Key rollovers re-publish the DS record at the parent.** Manual unless you're on Cloudflare Registrar with CDS/CDNSKEY automation. The economic counter-argument deserves a fair hearing. Geoff Huston (APNIC Chief Scientist) wrote in [May 2024](https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/): "DNSSEC as we know it today is just not going anywhere. It's too complex, too fragile and just too slow to use for the majority of services and their users." That explains the 0.0% number more honestly than any single technical objection. The ecosystem hasn't decided DANE is wrong; it has decided DNSSEC is too costly to operate at scale outside ccTLDs with active registrar incentives. The Dutch model — SIDN financial incentives plus Forum Standaardisatie comply-or-explain — is the only one producing material adoption growth. ## The TLSA Record, Field by Field A working TLSA record looks like this: Five components carry all the meaning. The owner name encodes the protocol and port the record applies to. The three numeric fields select which artifact is being pinned and how. The hex string is the actual hash. | Field | Values | Meaning | | ---------------------------------- | -------------------------------------------- | ------------------------------------------------------ | | Owner name | `_._.` | For SMTP: `_25._tcp.` | | Certificate Usage (RFC 6698 §2.1.1) | 0=PKIX-TA, 1=PKIX-EE, 2=DANE-TA, 3=DANE-EE | RFC 7672 §3.1.3 mandates 2 or 3 only for SMTP | | Selector (§2.1.2) | 0=full cert, 1=SubjectPublicKeyInfo | Use 1 — pins the key, not the cert | | Matching Type (§2.1.3) | 0=exact, 1=SHA-256, 2=SHA-512 | Use 1 for size and modern crypto | | Certificate Association Data | Hex string | The actual hash bytes | The operator decision condenses to two patterns: **DANE-EE (`3 1 1`) for self-managed certs** and **DANE-TA (`2 1 1`) for fleets behind a private CA**. RFC 7672 §3.1.3 explicitly allows self-signed certificates under usage 3 — that is the CA-bypass selling point of DANE authentication. You don't need a Let's Encrypt cert or a paid commercial cert to authenticate to a DANE-EE-pinning peer; the DNSSEC-signed hash is the trust anchor.
The mechanics — every usage value, every interaction between selector and matching type, every per-MX RRset rule — are covered exhaustively in our [comprehensive DANE protocol guide](/learn/dane/). This post is the strategy layer; that page is the reference layer. ## DANE vs MTA-STS — How to Pick The DANE vs MTA-STS question reduces to one trade-off: **DANE is cryptographically stronger; MTA-STS is operationally easier.** The right answer depends on which barrier you can clear today. | Dimension | DANE (RFC 7672) | MTA-STS (RFC 8461) | | -------------------------------------------- | ---------------------------------- | ---------------------------------------- | | Trust anchor | DNSSEC chain | Web PKI (HTTPS) + TXT versioning | | Downgrade resistance | Hard fail — DNSSEC-signed mandate | Soft initially (TOFU), hard on cache hit | | Self-signed certs allowed | Yes (DANE-EE, usage 3) | No — must chain to trusted CA | | DNS host requirements | TLSA + DNSSEC + DS at parent | Plain TXT record only | | Web host requirements | None | Public HTTPS endpoint serving policy file | | Registrar requirements | DS publish (CDS/CDNSKEY ideal) | None | | Sender-side adoption (Ashiq et al., IMC 2025) | ~29.8% MTAs validate | ~19.6% MTAs validate | | Failure mode | Mail deferred until DNS fixes | Policy cached up to `max_age` | | NIS2 / BSI TR-03108 stance | Mandatory in DE for certified ESPs | Allowed; BSI prefers DANE | DANE currently outpaces MTA-STS on sender-side validation rate ([Ashiq, Fiebig, Chung — IMC 2025](https://dl.acm.org/doi/10.1145/3730567.3732916)) — a counter-intuitive result given DANE's lower publisher adoption, but consistent with the DANE-publishing population skewing toward operationally serious mail providers. BSI TR-03108 v2.0 puts the regulator's view plainly: "MTA-STS does not provide more robust identification of the [server]." It is a fallback, not an equal. The decision rule reads cleanly: - If you already control DNSSEC and a TLSA-aware DNS host (Cloudflare, Route 53, Google Cloud, Azure DNS, deSEC, Bunny, OVH, NS1, DNSimple), **deploy both**. - If your domain lives on GoDaddy, Namecheap Free, Vercel, Netlify, Hurricane Electric, or Hetzner DNS Console, **deploy MTA-STS only** and migrate DNS provider before adding DANE. - If you fall under DE-regulated ESP rules, NL Forum Standaardisatie scope, or NIS2 essential-entity duty-of-care, **DANE is the policy expectation** and MTA-STS is the documented fallback. TLS-RPT is the reporting layer that catches failures in either protocol — see our [TLS-RPT setup walkthrough](/blog/tls-rpt-report/). The policy layer that pairs with DANE-EE is MTA-STS — see our [MTA-STS configuration guide](/blog/mta-sts-example/). Together with the [MTA-STS learn page](/learn/mta-sts/) and [TLS-RPT learn page](/learn/tls-rpt/), they form the stack most deployers aim at: DANE for cryptographic enforcement, MTA-STS as the fallback, TLS-RPT as the visibility layer.
## Is DANE Required for NIS2 Compliance? The honest legal answer is **no — no EU instrument names DANE literally**. The functional answer is that ENISA's [Technical Implementation Guidance v1.2](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance) (September 2025) maps Commission Implementing Regulation (EU) 2024/2690 §6.7.2(k) — "modern e-mail communications standards" — to the DANE / DNSSEC / MTA-STS family. Article 2(2) imposes comply-or-explain logic: a relevant entity that decides DANE is "not appropriate, not applicable or not feasible" must "in a comprehensible manner document its reasoning." Member-state policy is more explicit: | Country | Status | Instrument | | -------------- | ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Netherlands | Mandatory (comply-or-explain) | Forum Standaardisatie _Lijst open standaarden_ — DANE on the _pas toe of leg uit_ list since 2016, expanded to sending+receiving in 2018 | | Germany | Mandatory for certified ESPs | [BSI TR-03108 v2.0](https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03108/tr03108_node.html) — EMLREQ_4 inbound DANE required | | France | Recommended | ANSSI-PA-105 v1.0 (Jul 2024) — DNSSEC explicitly _not_ formally mandated | | United Kingdom | Not measured | NCSC Mail Check retiring 31 Mar 2026; DANE not in check set | | United States | Recommended | NIST SP 800-177r1 §5.2.4; CISA BOD 18-01 mandates STARTTLS/SPF/DMARC, not DANE | | Canada | Recommended | CCCS ITSP.40.065 v1.1 | The enforcement teeth exist on paper. [Directive (EU) 2022/2555](https://eur-lex.europa.eu/eli/dir/2022/2555/oj) Article 34(4) caps administrative fines at "EUR 10 000 000 or … 2% of the total worldwide annual turnover, whichever is higher" for essential entities that infringe Article 21. The Commission sent reasoned opinions to 19 Member States on 7 May 2025 for transposition delays. **Through 28 April 2026, no national supervisory authority has published a named NIS2 fine** — teeth on paper, not yet bared. If your domain falls under NIS2 Annex I or II, document a DANE deployment plan against §6.7.2(k) — or document, comprehensibly, why MTA-STS is your alternative. The latter is allowed; the former is the policy expectation in the Netherlands and Germany. ## How to Deploy (or Validate) DANE on Your Domain Five steps cover the working deployment. Each one fails closed: skip a step, and you either get nothing (silent failure) or a hard delivery deferral. 1. **Confirm DNSSEC is signing your zone.** Run `dig +dnssec mail.example.com TLSA` and look for an `RRSIG`. If it isn't there, enable DNSSEC at your DNS host and publish the matching DS record at your registrar before doing anything else. Unsigned TLSA records have zero security value and may produce silent failures on Hetzner DNS Console. 2. **Generate a TLSA record from your MX host's certificate.** On the mail server, derive the SHA-256 of the SubjectPublicKeyInfo with `openssl`. The output is the hex hash for a usage `3 1 1` (DANE-EE) record. 3. **Publish at `_25._tcp.`.** One TLSA RRset per MX hostname, not per organizational domain. If `example.com` has `mx1.example.com` and `mx2.example.com` as MX hosts, you need two TLSA RRsets — one at `_25._tcp.mx1.example.com` and one at `_25._tcp.mx2.example.com`. 4. **Validate end-to-end.** Use [DMARCguard's DANE checker](/tools/dane-checker/) for the live DNSSEC walk and TLSA match, or our [DANE record generator](/tools/dane-generator/) if you'd rather generate from a PEM file first and verify after. The checker also flags the most common silent-failure modes: unsigned TLSA, missing DS at the parent, MX hostname mismatch, and wrong owner-name port. 5. **Monitor with TLS-RPT.** Publish `_smtp._tls.example.com TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"` so DANE-validating senders can email JSON failure reports describing exactly which TLSA record didn't match. Without TLS-RPT, a botched key rollover is invisible until your inbound queue fills up. The reporting layer is the [TLS-RPT setup walkthrough](/blog/tls-rpt-report/). Key rollover deserves its own note. Every time you rotate the certificate (or its key, if you pinned the SubjectPublicKeyInfo), you must republish the TLSA record before the old certificate expires — and re-publish the DS at your registrar after every DNSSEC key rollover. If your registrar isn't Cloudflare Registrar, plan a manual DS publish window and verify the parent zone shows the new DS digest before the rollover. We built our own DANE scanner against the Tranco 5.5M list — that is how we know the answer is 30. The same scanner powers the [DANE checker tool](/tools/dane-checker/) you can run against your own domain right now. DANE is one of three transport-layer email-authentication protocols. Pair it with MTA-STS (policy fallback) and TLS-RPT (visibility) for defense in depth — and audit all three in one pass with [DMARCguard's DMARC checker](/tools/dmarc-checker/). ## Frequently Asked Questions ### What is DANE in email? DANE in email is DNS-Based Authentication of Named Entities for SMTP, defined in RFC 7672. A receiving domain publishes a DNSSEC-signed TLSA record at `_25._tcp.`, and a DANE-aware sending mail server uses that record to verify the receiver's TLS certificate before delivering. If the certificate doesn't match, the sender refuses to deliver in plaintext — closing the STARTTLS-stripping attack class. ### Does DANE require DNSSEC? Yes. RFC 7672 §2 requires conforming MTAs to ignore TLSA records that aren't authenticated by DNSSEC, because an attacker who can forge DNS can also forge an unsigned TLSA. You must DNSSEC-sign your zone and publish a matching DS record at your registrar before DANE provides any security benefit. No DNSSEC means no DANE — there is no workaround. ### What is the difference between DANE and MTA-STS? DANE pins TLS certificates in DNS via DNSSEC; MTA-STS publishes a policy over HTTPS plus a versioning TXT record. DANE is cryptographically stronger and supports self-signed certs (DANE-EE, usage 3), but requires DNSSEC and TLSA-capable DNS hosting. MTA-STS works on any DNS host with HTTPS but inherits Web PKI risk. Most operators deploy MTA-STS first and add DANE when the DNSSEC stack is ready. ### How do I check or generate a TLSA record? Use [DMARCguard's DANE checker](/tools/dane-checker/) for live validation — it does the DNSSEC walk and TLSA match for you — or [our DANE record generator](/tools/dane-generator/) to compute the `3 1 1 ` from a PEM certificate. On the command line: `openssl x509 -pubkey -noout -in cert.pem | openssl pkey -pubin -outform DER | sha256sum`. ### Is DANE called something different in English? Yes — DANE stands for **DNS-Based Authentication of Named Entities** and refers to the IETF protocol defined by RFC 6698 (TLSA) and RFC 7672 (SMTP). The dictionary word "Dane" (a person from Denmark) is unrelated. This post covers the protocol; if you wanted the demonym, you wanted Merriam-Webster, not DMARCguard. ### Why is DANE adoption near zero? DANE adoption sits at 0.0% (30 of 5.5M domains in our Feb 2026 scan) because it requires three independent things to work: a DNSSEC-signed zone, a DNS host that exposes TLSA records, and a registrar that publishes DS records (ideally via CDS/CDNSKEY automation). GoDaddy, Namecheap Free, Vercel, Netlify, and Hetzner Console all break the chain at one step or another. Big mailbox providers (Gmail, Yahoo, iCloud) also don't publish TLSA, so most senders see no upside. ## Where to Go from Here DANE email authentication is the strongest available defense against STARTTLS stripping, but it lives or dies on DNSSEC. The 0.0% adoption number is a measurement of the DNSSEC ecosystem, the registrar market, and the big-mailbox holdouts — not of the protocol's design. The decision is simpler than the numbers suggest: - On Cloudflare, Route 53, Google Cloud, Azure DNS, deSEC, or Bunny with a Cloudflare-Registrar-style flow, **deploy DANE and pair it with TLS-RPT** for visibility. - On GoDaddy, Namecheap Free, Vercel, Netlify, Hurricane Electric, or Hetzner DNS Console, **start with MTA-STS**, fix DNS hosting later, then add DANE. - Under NIS2, Forum Standaardisatie, or BSI TR-03108, **DANE is the policy expectation** and MTA-STS is the documented fallback. DANE-EE (`3 1 1`) lets you skip the public CA entirely — the DNSSEC-signed hash _is_ the trust anchor. No Let's Encrypt rotation, no commercial CA, no Web PKI dependency. DANE email authentication is the rarest standard in the email-authentication stack. Make it less rare for your domain — or make a defensible MTA-STS plan instead. Continue with our [TLS-RPT setup walkthrough](/blog/tls-rpt-report/) and [MTA-STS configuration guide](/blog/mta-sts-example/) for the rest of the TLS-trifecta.