Meysam2d ago

DANE (RFC 7672) publishes your mail server's TLS certificate fingerprint as a TLSA record in DNSSEC-signed DNS.

no certificate authority trust chain required. the trust anchor is DNS itself.

```
_25._tcp.mail.yourdomain.com. IN TLSA 3 1 1 <SHA-256 hash>
```

the prerequisite: your domain must be DNSSEC-signed.

without DNSSEC, DANE records can be spoofed, which defeats the purpose.

https://dmarcguard.io/tools/dane-checker/

#DMARC #EmailSecurity #DANE #DNSSEC #RFC7672 #TLS

DANE/TLSA Record Checker | DMARCguard

Look up TLSA records, verify DNSSEC status, and validate DANE configuration for your mail server per RFC 6698 and RFC 7672.

DMARCguard