MTA-STS vs DANE: Email Transport Encryption Compared
MTA-STS and DANE both enforce TLS encryption for email in transit, preventing downgrade attacks on SMTP connections. They use different trust models and have different deployment requirements. This guide compares both protocols to help you choose the right approach for your email infrastructure.
Side-by-Side Comparison Table
| Feature | MTA-STS | DANE |
|---|---|---|
| Trust model | HTTPS/CA (WebPKI) | DNSSEC |
| Requires DNSSEC | No | Yes (mandatory) |
| Policy delivery | HTTPS endpoint + DNS TXT | TLSA DNS records |
| Certificate pinning | No (relies on CA validation) | Yes (pins certificate or key in DNS) |
| Deployment complexity | Low (HTTPS + DNS TXT) | High (requires DNSSEC chain) |
| Sender support | Google, Microsoft, others | Postfix, Exim, some providers |
MTA-STS: HTTPS-Based TLS Enforcement
MTA-STS (Mail Transfer Agent Strict Transport Security, RFC 8461) uses a combination of a DNS TXT record and an HTTPS-hosted policy file to tell sending servers that your domain requires TLS for email delivery. The sender fetches the policy over HTTPS, which provides authentication via the WebPKI certificate authority system.
MTA-STS is easier to deploy than DANE because it does not require DNSSEC. You only need a DNS TXT record at _mta-sts.yourdomain.com and a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. Major providers like Google and Microsoft support MTA-STS on the sending side.
Verify your MTA-STS configuration with our free MTA-STS Checker.
DANE: DNSSEC-Based Certificate Pinning
DANE (DNS-Based Authentication of Named Entities, RFC 7672 for SMTP) publishes TLSA records in DNS that pin the expected certificate or public key for your mail server. Because these records are protected by DNSSEC, they cannot be tampered with by attackers. This provides stronger security than MTA-STS since it does not rely on certificate authorities.
The main barrier to DANE adoption is the DNSSEC requirement. Your domain must have a complete DNSSEC chain of trust from the root zone to your TLSA records. Many DNS providers do not support DNSSEC or make it difficult to configure, which limits DANE deployment in practice.
Check your DANE records with our free DANE Checker.
Which Should You Choose?
- Choose MTA-STS if your DNS provider does not support DNSSEC, or if you want the easiest deployment path. It provides good protection and is supported by major senders.
- Choose DANE if your DNS provider supports DNSSEC and you want the strongest possible TLS enforcement with certificate pinning.
- Implement both for maximum coverage. DANE protects connections from DANE-aware senders, while MTA-STS covers senders that do not support DANE.
Test your overall TLS configuration with our TLS Checker.
Frequently Asked Questions
Should I implement MTA-STS or DANE?
If your DNS provider supports DNSSEC, implement DANE for the strongest security. If DNSSEC is not available, use MTA-STS as it works with standard DNS and is easier to deploy. Ideally, implement both for maximum compatibility and security.
Can MTA-STS and DANE be used together?
Yes. They are complementary protocols. DANE provides stronger cryptographic guarantees when DNSSEC is available, while MTA-STS provides protection for senders that do not support DANE. Major providers like Google support both.
What problem do MTA-STS and DANE solve?
Both solve the same problem: opportunistic TLS in SMTP can be downgraded by attackers. Without MTA-STS or DANE, a man-in-the-middle can strip the STARTTLS offer and force email to be sent in plaintext. Both protocols tell sending servers to require TLS encryption.