DANE/TLSA Record Checker

Query the TLSA records published by a domain's mail servers (MX hosts) against multiple public DNS resolvers to check whether DANE certificate pinning is configured.

Tips

  • TLSA records don't live under the plain domain name — they're published under a special name, `_25._tcp.{mx host}`. That's why looking up TLSA on the bare domain never finds anything.
  • "DANE not configured" is not an error. DANE is an additional layer of mail encryption defense, and most mail servers still don't use it.
  • DANE is only trustworthy if the domain's TLSA record itself is protected by a DNSSEC signature chain. Even if a TLSA record is found, pair this with the sister "DNSSEC Checker" tool to confirm the domain has DNSSEC enabled.
  • When a domain has multiple MX hosts, this tool checks up to 3 hosts, starting with the lowest preference number (highest priority).
  • If resolvers disagree, the record may have just been updated and caches haven't caught up yet. Wait a while and check again.

Frequently Asked Questions

"DANE not configured" by itself is not dangerous — the large majority of mail servers still operate without it. That said, enabling it is worth considering as a defense against STARTTLS man-in-the-middle attacks if you have the option.

Both aim to enforce TLS encryption for mail transport, but they root their trust differently: MTA-STS relies on a certificate authority's validation chain, while DANE relies on the DNSSEC signature chain. If you already have DNSSEC enabled, DANE is a natural fit; otherwise, MTA-STS is the more practical starting point. The two can also be used together.

Usage specifies the validation model (whether CA validation is still required, or the certificate itself is pinned directly), Selector specifies whether the full certificate or just its public key is hashed, and Matching Type specifies the hash algorithm (such as SHA-256 or SHA-512). Different combinations support different operational patterns.

For complete protection, every MX host that might be chosen as a delivery target should have a TLSA record. If only some hosts have one, mail delivered to a host without a record isn't protected.

This tool only checks a surface-level state: whether a TLSA record is published. It doesn't verify that the certificate association data actually matches the server's real certificate, so pair it with a specialized tool if you need a rigorous check.
ツールくん

Side Note — Protecting mail encryption with certificates, not just "don't eavesdrop"

Email encryption over SMTP (STARTTLS) has long had a weakness. Most mail servers use opportunistic TLS — falling back to plaintext if the other side doesn't support encryption — which opened the door to "STRIPTLS attacks," where a man-in-the-middle attacker silently strips the STARTTLS command so the connection downgrades to plaintext without either side noticing.

DANE (DNS-based Authentication of Named Entities, RFC 6698) answers this by publishing TLSA records in DNS. By pinning a mail server's certificate (or its public key hash) in DNS ahead of time, a sending server can verify that the host it connects to is actually presenting the expected certificate. Unlike ordinary SSL/TLS certificate validation, DANE doesn't rely on a certificate authority's trust chain at all — it trusts only the DNSSEC signature chain.

DANE's weakness is that it only works if the domain itself is signed with DNSSEC. Without DNSSEC, nothing prevents the TLSA record from being tampered with in transit, which makes DANE's guarantee meaningless. That's why DANE adoption tracks DNSSEC adoption closely, and it has seen earlier uptake among some European registries (such as .nl and .cz).