Security

DANE for SMTP

DNSSEC-anchored TLSA records that pin the certificate your mail server presents. The other (older, stricter) path to authenticated mail-in-transit alongside MTA-STS.

Authority: IETF
Version: RFC 7672
Jurisdiction: Global
Source: datatracker.ietf.org
Last reviewed: 2026-04-28
Last verified: pending

What it is

RFC 7672 + RFC 7671. DNS-Based Authentication of Named Entities for SMTP — DNSSEC-signed TLSA records that bind a hostname to a specific certificate or public key. A receiving MTA refuses to deliver if the pin doesn't match.

Why it matters

Closes the same downgrade gap as MTA-STS but with stronger guarantees — provided you have DNSSEC. Major European ISPs (Deutsche Telekom, Comcast inbound) and government MTAs require it; large mail providers (Google, Microsoft) treat it as a stronger signal than MTA-STS alone.

Who it applies to

Domains with DNSSEC that send or receive mail with high-trust counterparties (gov, EU, finance).

How WQI scores it

Web Quality Index considers this standard satisfied when all of the 2 supporting factors pass.

#	Factor	Status
22	DNSSEC validation	planned
24	MTA-STS & TLS-RPT	planned

0 of 2 supporting factors are currently collected. Sites where the remaining 2 haven't been measured will show as partial or unknown on this standard until the data lands.

Related standards

Requires: DNSSEC
See also: MTA-STS , DNSSEC

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

SMTP TLS Reporting (TLS-RPT) 1 shared factor Email health The reporting half of MTA-STS / DANE. A daily JSON digest of every TLS handshake failure to your domain — the only way to know your inbound mail is being downgraded.