What is DANE and how does it relate to MTA-STS?

DANE (DNS-based Authentication of Named Entities) and MTA-STS (Mail Transfer Agent Strict Transport Security) both solve the problem of TLS downgrade attacks, where an attacker tricks servers into using unencrypted connections.

DANE:

Publishes TLS certificate information in DNS (TLSA records)

Requires DNSSEC for secure DNS lookups

Receiving server's certificate must match DNS records

Prevents man-in-the-middle attacks by verifying certificate through DNS

Adoption limited by DNSSEC requirements

MTA-STS:

Publishes TLS policy via HTTPS at a well-known URL

Policy specifies MX hosts and requires TLS

Doesn't require DNSSEC (uses HTTPS trust model)

Includes reporting mechanism (SMTP TLS Reporting)

Easier deployment but different security model

Key differences:

DANE requires DNSSEC (not universally deployed); MTA-STS uses HTTPS (widely available)

DANE verifies specific certificates; MTA-STS requires valid CA-signed certificates

Both prevent downgrade to plaintext

Both prevent certificate impersonation (different mechanisms)

Both are valuable security improvements. MTA-STS has seen broader adoption due to easier deployment. Major providers like Gmail support both. If you manage your own mail servers, implementing either (or both) strengthens security.