How does DANE authenticate SMTP connections?

When Server A connects to Server B, Server A:

fetches the TLSA record via DNSSEC

receives the certificate from Server B during TLS negotiation

compares the certificate to the TLSA record

If the certificate matches the TLSA rule, the connection is trusted.

This removes reliance on traditional certificate authorities.