Free DANE/DNSSEC Checker

What is DANE?

DANE (DNS-Based Authentication of Named Entities) uses DNSSEC-signed TLSA records to bind TLS certificates to DNS names. For email, DANE ensures that SMTP connections are encrypted with the correct certificate, preventing man-in-the-middle attacks and downgrade attacks.

Why does it matter?

Microsoft is making SMTP DANE with DNSSEC mandatory for Exchange Online starting July 2026. Domains that don't support DANE may experience delivery issues to Outlook, Hotmail, and Microsoft 365 recipients.

How this check works

This tool queries DNSSEC status by checking for DNSKEY and DS records with the DNSSEC OK (DO) flag set, then resolves MX records and queries TLSA records at_25._tcp.{mx-host} for each MX target. DNSSEC validation uses the Authenticated Data (AD) flag from a validating resolver. TLSA records are parsed for usage, selector, and matching type fields per RFC 6698.

Limitations: This check uses a single validating resolver path (Google Public DNS). Production DANE verification should use multiple independent resolvers plus direct authoritative queries. This tool does not connect to SMTP servers or verify that STARTTLS is advertised or that certificates match published TLSA records. For full STARTTLS + certificate + TLSA match verification, use the SpoofSentry dashboard.

DANE Requirements

• DNSSEC: Your domain must have a valid DNSSEC chain (DS + DNSKEY records)
• TLSA Records: After DNSSEC is validated, publish TLSA records for each MX host (e.g., _25._tcp.mx.example.com). Run readiness checks before publishing to avoid misconfiguration.
• Certificate Pinning: TLSA records pin certificates to prevent impersonation
• Recommended: Usage type 3 (DANE-EE), Selector 1 (SPKI), Matching type 1 (SHA-256)