What is DANE? The Next Level of Secure Email Routing

Introduction: The Forged Certificate

MTA-STS forces encryption, but what if a hacker intercepts the traffic and provides a *fake* encryption certificate? The email is still intercepted. To solve this ultimate threat, security engineers created DANE (DNS-based Authentication of Named Entities).

The Unbreakable Chain of Trust

DANE relies on DNSSEC (a heavily secured version of the DNS phonebook). The company publishes the exact mathematical 'Fingerprint' of their security certificate directly into the DNS record. Before another server sends an email to that IP, it checks the DNS record. If the fingerprint of the receiving server doesn't perfectly match the official record, the sender knows it's a trap and aborts the connection.

Conclusion

DANE is incredibly complex to set up, but it represents the absolute pinnacle of secure, un-spoofable email routing. Test your DNSSEC stability here.