Back to Community Threads
Feature Request: DANE/TLSA support for SmarterMail
Idea shared by Falk Brockerhoff - 1/26/2015 at 8:43 AM
Under Consideration
F
Hi,
 
are there any plans to support DANE/TLSA (https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) in the future?
 
Regards,
 
Falk
Absolutly interesting Point!!!
 
Any plane to support this?
F
Any news on this?
F
Two big german mail providers implemented DANE, and normally the big ones are much slower than the mid-sized companies with new feature. But we can't offer it to our customers because the lack of support by smartermail :-(

http://www.heise.de/netze/meldung/Kehrtwende-bei-Mail-Sicherheit-Web-de-und-GMX-fuehren-DANE-ein-2782473.html
Employee Replied
8/27/2015 at 10:08 AM
Employee Post
Falk, I have added this to our features request list for further discussion by the development team.
Thanks for changing the status of this to "Under Consideration," Robert!

The addition of DANE/TLSA support to SmarterMail will only enhance the overall security of SmarterMail.
 
It will also help to ensure that SmarterMail is compliant with recent rulings by the US Courts regarding the issues of data security, and, specifically, with the ruling by the Third Circuit US Court of Appeals, on Monday, 24 August, which effectively puts the protection of user, financial, and patient data under the guise of the businesses who collect, process, and store that data.

Last Monday's gives the Federal Trade Commission (FTC) the authority to play a key cybersecurity regulatory roll as it relates to the protection of consumer data against breaches.
 
While the ruling specifically allows an FTC case against Wyndham Worldwide Corporation, in which the FTC claims Wyndham failed to uphold their responsibility to their guests because of data breaches, which occurred in 2008 and 2009, to move forward, the bigger interpretation, as seen by the legal community, is that this ruling reaffirms the right of the FTC to oversee, and, as necessary, fine companies who do business in the United States for cybersecurity mishaps which result in the compromise of payment or personal information.
 
Cybersecurity attorney Chris Pierson stated that, based on the court's decision, "it is even clearer that the FTC is the leading agency in the US for data breach matters,"
 
"Challenging the FTC's authority to regulate unfair/deceptive acts and practices is unlikely to be fruitful in court.  The Wyndham case is a seminal case for the FTC for the proposition that the FTC has the power and ability to oversee cybersecurity breach issues as the nation's default regulator."
 
The appellate court's decision should serve a warning that companies of all kinds need to take data security more seriously: that providers of cyber services: web hosting, e-mail hosting, cloud based services, etc, must now be keenly aware of the security of every aspect of their offerings.

For more information, see: 
 
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
M
I was wondering if there are any news on this topic. As cloud mark will include support for DANE/TLS this will be a huge argument for the implementation in smartermail: -> blog.cloudmark.com/2017/03/27/dane-and-email-security/
S
This is something I'm also interested in,  any updates would be much appreciated 
Tim Uzzanti Replied
6/15/2020 at 8:49 AM
Employee Post
To be honest, we lost this thread years ago.  This is something we are interested in doing and is now on our list.
Tim Uzzanti
CEO
SmarterTools Inc.
Is there any news about DANE/TLSA support?
SSL/TSL checkers show this more and more as a missing option.
Hi,

I would also like to know if there has been any progress with support for DANE/TLSA.
I have raised a support request but would also like to know if anyone else is interested. Please shout out if you are.

Thanks
Why not?
We are receiving client requests for implementing DANE/TLSA, can we have an update on where this feature is currently located (consideration, plan, etc.)?

Thank you!
Its not about the server but the domain itself in your DNS controlpanel.
Since SmarterMail already manages SSL certificates automatically via Let’s Encrypt (stored as .pfx), it would be extremely beneficial if the platform could also generate and expose the corresponding TLSA (DANE) record, similar to how DKIM is currently handled.

Suggested approach
A new section could be added in the domain or SSL settings:

  • Automatically compute the TLSA hash (ideally 3 1 1 – SPKI SHA-256)
  • Display the DNS record (like DKIM does)
  • Optionally support: Multiple ports (25, 587, 465)
Key advantage
Automatic update of the TLSA record whenever the SSL certificate is renewed
The TLSA record is stored in your DNS controlpanel. NOT on the smartermail server.

DKIM is generated on the server itself. Its two different things....and not related.
This is NOT any sort of SmarterMail issue.

Has nothing to do with SmarterMail.

Just because SmarterMail has the feature of being able to automatically renew FREE certificates does not equal needing to update DNS records of a domain.

Hi,

Just to clarify my previous message — I am not asking for SmarterMail to modify or manage DNS zones in any way.

SmarterMail already provides a good example of this approach with DKIM: it generates the required DNS record, and the administrator is responsible for adding it to their DNS zone.

What I am suggesting is a similar mechanism for DANE/TLSA:

  • SmarterMail could automatically compute the appropriate TLSA value (hex)
  • Then simply display it in the interface
  • The administrator would manually add it to their DNS provider

Currently, we generate this value manually using PowerShell based on the certificate file, for example:



$sha256 = [System.Security.Cryptography.SHA256]::Create()
$hash = $sha256.ComputeHash($cert.RawData)
$hashHex = ($hash | ForEach-Object { $_.ToString("x2") }) -join ""
Write-Host "_25._tcp.mail.domain.com IN TLSA 3 0 1 $hashHex"

This process works well, but it could easily be integrated directly into SmarterMail, especially since the platform already manages the SSL certificates.

To be clear:

The goal is only to generate and display the TLSA record, not to manage or update DNS zones.

This would significantly simplify DANE adoption while keeping full control of DNS in the administrator’s hands.
Larry Duran Replied
3/31/2026 at 8:49 AM
Employee Post
So that everyone is aware, this is already a feature request on our product roadmap. Thanks for bringing it to our attention for review.

I agree with those who say SmarterMail is not intended to manage DNS entries, but I also agree that SmarterMail could generate the DANE hash for DNS records.

At a minimum, SmarterMail should add support for sending to DANE-enabled mail servers. It also seems feasible to add DNS hash generation to our product (similar to DKIM).

Out of curiosity, for those using DANE, how do you manage the time gap between generating new certificates and updating DNS records? You need the certificate to generate the new hash, but you also need the hash in DNS for other servers to honor the DANE RFC. It seems there could be a period during which your server cannot receive email until DNS is updated. That would be particularly difficult to manage with automatic certificates.
Larry Duran
Product Manager 
SmarterTools Inc.
www.smartertools.com 
Just to clarify my previous message — I am not asking for SmarterMail to modify or manage DNS zones in any way.

Thank you for clarifing.
Out of curiosity, for those using DANE, how do you manage the time gap between generating new certificates and updating DNS records? You need the certificate to generate the new hash, but you also need the hash in DNS for other servers to honor the DANE RFC. It seems there could be a period during which your server cannot receive email until DNS is updated. That would be particularly difficult to manage with automatic certificates.

That is a very critical point, when companies/people use automated renewals/replacements. 

It leads to a much larger discussion about certificate life spans and dealing with all of the associated consequences, known, unintended or otherwise. 

The whole premise being forced down our throats about short validity times for certificates was forecasted years ago when companies such as Lets Encrypt started offering free certificates. That singe fact changed the way forever of the usefulness of certificates. It "cheapened" their worth, and now we are paying the price for new protocols and rules and such in an effort to overcome the stupidity of allowing free certificates.

In security, and email administration, the easier or cheaper something is up front, the more costly it will be down the road. 
Yeah a total waste of time.
D
I know that Google thinks that fake certificates are a huge problem, but I have never encountered that problem and am having difficulty understanding it.    What problem does DNSSEC + DANE/TLSA solve that is not solved by DNSSEC alone?

The sequence:
  • User triggers a connection to www.example.com 
  • System resolves www.example.com to an IP address verified by DNS SEC
  • User reaches www.example.com and the browser verifies that the certificate names include the requested name www.example.com.
How does a fake certificate get used?
  • One way would be to get the browser connected to a fake www.example.com without using DNS, but I do not know how to do that.   
  • Alternatively, you get the right IP address but a malicious NAT translator intercepts your traffic and redirects you to a different IP address which has been configured with the fake certificate.  So DANE helps you detect that your entire infrastructure needs to be disconnected from the Internet because of the malicious NAT translator.   
Now, assuming that DANE solves an important problem, how does it apply to the SmarterMail product?
  • Inbound Traffic:
    • For organizations that want to enforce DANE/TLSA, SmarterMail needs to be configured with a DANE-compliant certificate for those organizations.   This is not necessarily a SmarterMail task, but since they provide features for certificate automation, they may be able to help.
    • Client software is responsible for detecting DANE/TLSA settings and refusing connections if the verification test fails.   SmarterTools does not build any email client tools, so it has no tasking here.
  • Outbound Traffic:
    • SmarterMail could detect an outbound SMTP session that attempts STARTTLS but receives a DANE/TLSA certificates that fails the verification test.  Then what?
    • What do we have to assume has happened for the SMTP session to reach a server with a fake certificate?
    • If we do get connected to the wrong server, the server owner has the option of not offering STARTTLS, or offering a self-signed certificate.   How does a fake certificate help them?
    • Assuming that DANE/TLS exposes a fraudulent site, what do you want SmarterMail to do?  It will probably retry until the certificate is replaced or the retry limit has been reached after N days and the user receives a belated non-delivery notice.    I suggest that if you are going to detect a malicious site at all, you need to have an alarming system that draws attention much more quickly than 2 days or more.  Additionally, the alarm needs to go to a system administrator, not the user.
  • Exception Management:
    • What happens when a critical correspondent has a misconfigured DANE/TLSA environment and your connections get blocked because of their mistake?  All of my experience with DNS SEC is bad, because all of my security blocks have been false positives.    The worst example was when the U.S. Centers for Disease Control messed up their DNS SEC settings and took 6 weeks to get it fixed.   Fortunately, we had a way to reroute web traffic through a path that did not enforce DNS SEC, so we could still access their servers.
If you want DANE enforced on outbound traffic, I think you want it enforced by a dedicated outbound gateway product, and I don't think that product should be SmarterMail Free edition.

Note that DANE protection will break down if an MX record or an AutoDiscover record points traffic from a DNSSEC-enabled domain to a DNSSEC-disabled domain.
Andrew Barker Replied
4/1/2026 at 9:00 AM
Employee Post
I agree with most of what Douglas said, but I disagree on DANE's utility. DNSSEC is intended to help ensure that the DNS record is reliable, but it does not guarantee that the server you are talking to is the one referenced by the DNS record. It is possible to get a valid certificate from a compromised CA or using some other services. A significant example of this is the DigiNotar breach in 2011 where the Dutch CA was compromised and over 500 fraudulent certificates were issued for domains including Google, Yahoo, Facebook, and more. These certificates allowed the attackers to perform MITM attacks. In situations like that, DANE would minimize the impact of the breach since the fraudulent certificates would not match the TLSA records. Further, because the TLSA record basically indicates how to determine if the certificate is valid, it opens up the possibility of using a private CA, at least in theory.

At this point, we don't see any benefit in making changes to SmarterMail to support DANE for inbound traffic. Basically, SmarterMail's only roll in DANE for inbound traffic should be serving the correct certificate. Using certificates automatically generated by SmarterMail for DANE would guarantee situations where the TLSA record is out of sync since the newly generated cert is put into use immediately and the TLSA record would only be updated later. A better approach would be to follow the recommendation of RFC 6698 in appendix A.4 – generate the certs outside of SmarterMail and make sure the new TLSA record is properly propagated, then upload the new cert to SmarterMail. Since you can have multiple TLSA records, this leaves the old record and certificate in use while the new record propagates, preventing any gaps when switching to the new certificate.

As for outbound traffic, the major complication is determining how to handle a DANE failure. Failing the delivery immediately seems like it might be too aggressive, in case the remote server is having issues with a rollover, but waiting through all the configured retry intervals might be a little long. Notifying a system or domain admin might be helpful to encourage them to reach out the remote administrator, but could be overwhelming if the failing domain is a regular recipient of messages from the server. Bounce DSNs are probably important so the sender knows why the message wasn't delivered, though the explanation might be a bit too technical for most users.

With all that said, what kind of behavior would you expect in the case of a server failing DANE during an outbound delivery?

Andrew Barker
Lead Software Developer
SmarterTools Inc.
www.smartertools.com 
D
Thanks Andrew.  I knew there had to a be a cause, because the short life cycle on certificates is all about Google's fear of fake certificates.   I guess I am naïve about the risk of man-in-the-middle or malicious NAT attacks, because I expect the routing infrastructure to be safe.   But since we have news reports about Chinese infiltration of US carrier networks, we should probably trust nothing.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Automated SSL certificate Issues.SmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Key Feature and Version Milestones in SmarterMailSmarterMail
Understanding SNI in SmarterMailSmarterMail > Server Configuration and Management
500 Error After Upgrading to the Latest BuildSmarterMail > Troubleshooting