STARTTLS and DANE for outgoing mail mandatory for government organisations

DANE validation added to 'use-or-explain' list

At the end of 2018, the validation of DANE for outgoing mail was  added to the Forum for Standardisation's 'use-or-explain' list. Addition to the list means that government and quasi-government organisations are more or less obliged to implement the standards.Together, TLS, StartTLS and DANE provide for a secure — i.e. cryptographically protected — connection for the transmission of e-mail messages. The three standards build on the existing infrastructure for DNSSEC, which has been on the 'use-or-explain' list for quite some time.

Pinning TLS certificates

Many SMTP servers (MX gateways) already offer the option of enabling TLS, the same form of security as used in HTTPS for the web. Delivering mail systems can then use the StartTLS command to upgrade their TCP connections to TLS. Unfortunately, clients are not obliged to cooperate, and a man-in-the-middle can easily hide a server's StartTLS capability from a client (a 'downgrade attack'). Consequently, StartTLS is not a complete solution.

However, if the mail service's TLS certificate is pinned in a DNSSEC-secured TLSA record (on TCP port 25, by means of a hash), a client can be sure that the server in question supports TLS.

Support for DANE validation

A lot of MTA software can now be configured to go through a DANE validation procedure before delivering mail to an MX gateway. Programs that support DANE validation include:

Use increasing rapidly

STARTTLS and DANE for incoming mail were added to the 'use-or-explain' list back in 2015. However, mandatory DANE validation wasn't introduced at the same time because not enough software supported the technology.

Now the use of DANE for mail is increasing rapidly [1, 2]. According to SIDN Labs' TLSA statistics, cryptographic anchoring of TLS certificates on MX gateways in the .nl zone has roughly doubled in the last six months. The implementation of DANE by, which manages a considerable number of .nl domains, has been an important contributor to that trend. TransIP configured DANE for its domains some time ago.

More recently, the registry for Sweden's .se country-code domain introduced a financial incentive scheme to promote the use of DANE. We may well consider following suit in due course. Our experience with DNSSEC (signing) shows that incentivisation can be very effective in promoting adoption. Details of SIDN's current incentive schemes for registrars are given in section 7 of our earlier IPv6 inventory.



  • Monday 17 December 2018


    IDnext and SIDN intensify collaboration


    Joint IDnext event will promote innovation in the field of digital identification

    Read more
  • Monday 15 April 2019


    IGF Guadalajara: first in a new series of Internet Governance Forums


    It's a little like the Dutch 'polder model'

    Read more
  • Thursday 29 November 2018

    Internet security

    Why would you share more data than you need to?


    Privacy by Design and SIDN join forces

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.