STARTTLS and DANE for outgoing mail mandatory for government organisations

At the end of 2018, the validation of DANE for outgoing mail was  added to the Forum for Standardisation's 'use-or-explain' list. Addition to the list means that government and quasi-government organisations are more or less obliged to implement the standards.Together, TLS, StartTLS and DANE provide for a secure — i.e. cryptographically protected — connection for the transmission of e-mail messages. The three standards build on the existing infrastructure for DNSSEC, which has been on the 'use-or-explain' list for quite some time.

Pinning TLS certificates

Many SMTP servers (MX gateways) already offer the option of enabling TLS, the same form of security as used in HTTPS for the web. Delivering mail systems can then use the StartTLS command to upgrade their TCP connections to TLS. Unfortunately, clients are not obliged to cooperate, and a man-in-the-middle can easily hide a server's StartTLS capability from a client (a 'downgrade attack'). Consequently, StartTLS is not a complete solution.

However, if the mail service's TLS certificate is pinned in a DNSSEC-secured TLSA record (on TCP port 25, by means of a hash), a client can be sure that the server in question supports TLS.

Support for DANE validation

A lot of MTA software can now be configured to go through a DANE validation procedure before delivering mail to an MX gateway. Programs that support DANE validation include:

Use increasing rapidly

STARTTLS and DANE for incoming mail were added to the 'use-or-explain' list back in 2015. However, mandatory DANE validation wasn't introduced at the same time because not enough software supported the technology.

Now the use of DANE for mail is increasing rapidly [1, 2]. According to SIDN Labs' TLSA statistics, cryptographic anchoring of TLS certificates on MX gateways in the .nl zone has roughly doubled in the last six months. The implementation of DANE by, which manages a considerable number of .nl domains, has been an important contributor to that trend. TransIP configured DANE for its domains some time ago.

More recently, the registry for Sweden's .se country-code domain introduced a financial incentive scheme to promote the use of DANE. We may well consider following suit in due course. Our experience with DNSSEC (signing) shows that incentivisation can be very effective in promoting adoption. Details of SIDN's current incentive schemes for registrars are given in section 7 of our earlier IPv6 inventory.



  • Tuesday 19 September 2017

    About SIDN

    Jaap Akkerhuis admitted to Internet Hall of Fame


    Fourth Dutch person joins roll of celebrated internet pioneers

    Read more
  • Thursday 9 November 2017

    About SIDN

    Come to the ECP Annual Congress!


    Working together to build the digital society

    Read more
  • Tuesday 31 October 2017

    Internet security

    Number of phishing sites linked to top Dutch brands up more than 40 per cent


    SIDN research shows that phishing is a problem for all top brands

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.