SpoofSentrySpoofSentry
Start Free Trial

Free DANE/DNSSEC Checker

Check if your domain supports DANE (DNS-Based Authentication of Named Entities) and DNSSEC. Verify readiness for Microsoft Exchange Online's July 2026 DANE requirement.

What is DANE?

DANE (DNS-Based Authentication of Named Entities) uses DNSSEC-signed TLSA records to bind TLS certificates to DNS names. For email, DANE ensures that SMTP connections are encrypted with the correct certificate, preventing man-in-the-middle attacks and downgrade attacks.

Why does it matter?

Microsoft is making SMTP DANE with DNSSEC mandatory for Exchange Online starting July 2026. Domains that don't support DANE may experience delivery issues to Outlook, Hotmail, and Microsoft 365 recipients.

DANE Requirements

  • DNSSEC: Your domain must have a valid DNSSEC chain (DS + DNSKEY records)
  • TLSA Records: Publish TLSA records for each MX host (e.g., _25._tcp.mx.example.com)
  • Certificate Pinning: TLSA records pin certificates to prevent impersonation
  • Recommended: Usage type 3 (DANE-EE), Selector 1 (SPKI), Matching type 1 (SHA-256)
Free DANE/DNSSEC Checker - TLSA Record Validator | SpoofSentry