STARTTLS and DANE for outgoing mail mandatory for government organisations

At the end of 2018, the validation of DANE for outgoing mail was  added to the Forum for Standardisation's 'use-or-explain' list. Addition to the list means that government and quasi-government organisations are more or less obliged to implement the standards.Together, TLS, StartTLS and DANE provide for a secure — i.e. cryptographically protected — connection for the transmission of e-mail messages. The three standards build on the existing infrastructure for DNSSEC, which has been on the 'use-or-explain' list for quite some time.

Pinning TLS certificates

Many SMTP servers (MX gateways) already offer the option of enabling TLS, the same form of security as used in HTTPS for the web. Delivering mail systems can then use the StartTLS command to upgrade their TCP connections to TLS. Unfortunately, clients are not obliged to cooperate, and a man-in-the-middle can easily hide a server's StartTLS capability from a client (a 'downgrade attack'). Consequently, StartTLS is not a complete solution.

However, if the mail service's TLS certificate is pinned in a DNSSEC-secured TLSA record (on TCP port 25, by means of a hash), a client can be sure that the server in question supports TLS.

Support for DANE validation

A lot of MTA software can now be configured to go through a DANE validation procedure before delivering mail to an MX gateway. Programs that support DANE validation include:

Use increasing rapidly

STARTTLS and DANE for incoming mail were added to the 'use-or-explain' list back in 2015. However, mandatory DANE validation wasn't introduced at the same time because not enough software supported the technology.

Now the use of DANE for mail is increasing rapidly [1, 2]. According to SIDN Labs' TLSA statistics, cryptographic anchoring of TLS certificates on MX gateways in the .nl zone has roughly doubled in the last six months. The implementation of DANE by, which manages a considerable number of .nl domains, has been an important contributor to that trend. TransIP configured DANE for its domains some time ago.

More recently, the registry for Sweden's .se country-code domain introduced a financial incentive scheme to promote the use of DANE. We may well consider following suit in due course. Our experience with DNSSEC (signing) shows that incentivisation can be very effective in promoting adoption. Details of SIDN's current incentive schemes for registrars are given in section 7 of our earlier IPv6 inventory.



  • Wednesday 4 September 2019

    .nl domain name

    Knowing about online brand use is vital for large organisations


    Cybercrime corrosive for online brand reputation

    Read more
  • Friday 18 January 2019

    About SIDN

    IRMA wins Internet Innovation Award 2019


    Praise for OpenINTEL as well

    Read more
  • Monday 14 January 2019

    About SIDN

    Hundredth municipal authority reachable using IPv6


    Still a long way to go

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.