DANE

DNS-based Authentication of Named Entities (DANE) for SMTP addresses allows for a more secure method of mail transport. DANE allows SMTP servers to establish encrypted TLS connections without the disadvantages of STARTTLS.  DANE is used to ensure reliable encryption for email transport. For this to work as intended, DANE uses the secure version of the Domain Name System (DNSSEC) for retrieving information that is published by a domain name’s owner or administrator. As a result, this information enables SMTP servers to determine up front whether or not another SMTP server supports an encrypted connection while also providing the means of validating the authenticity of the other mail server’s certificate. Confidentiality of email is available to the masses.

TLS with DANE

Resources

Here are some good resources to help you learn more about DANE:

What is DANE?
What is DANE for SMTP?
How to Use DANE
Implementation Guides
DANE Statistics
DANE Support

To learn more about DANE and other email security protocols, check out the resource page from our DMARC Bootcamp – five weeks of free online technical training focused on what DMARC is and how to implement it, including the basics of SPF and DKIM and options of performing DKIM key generation and signing, as well as other email security protocols to better protect your organization. All sessions are recorded and available for anyone to view.

Bootcamp Resources

What Does DANE Protect Against

The Domain Name System (DNS) is a protocol used to translate an IP address to a name, similar to a phone book. It is easier to remember a domain name rather than the IP address of the server hosting a site or to which mail server to send an email. DNS is a vital part of communication over the Internet. However, just like many other protocols, DNS was not designed with security in mind.  

DNS Hijacking

One security issue is DNS hijacking attacks.  A DNS query is a request sent to a DNS server asking the IP address of a domain. This is how most communication on the Internet starts. Once the answer to the request is received, the requesting system can communicate directly with that domain. However, there is a possibility that the request can be redirected by a malicious actor to a rogue DNS server, thus leading to the requesting system accessing the malicious site.  

DNS Cache Poisoning

Another type of attack is called DNS cache poisoning, also known as DNS spoofing. This type of attack exploits vulnerabilities in the DNS to reroute Internet traffic away from legitimate servers towards fake servers. A DNS server can become poisoned if it contains an incorrect entry. If an attacker gets control of a DNS server they could change the information that shows to which IP address a website would point. For example, the attacker could change google.com from the legitimate domain to one containing a malicious phishing website.  

Use a Tool Donate Partner with Us

New York  |  London  |  Brussels

New York  |  London  |  Brussels

The Global Cyber Alliance is a nonprofit organization dedicated to making the Internet a safer place by reducing cyber risk. We build programs, tools, and partnerships to sustain a trustworthy Internet to enable social and economic progress for all. GCA is a 501(c)(3) in the U.S. and a nonprofit in the U.K. and Belgium.

[email protected]     |     +1.646.677.5535

Cyber Essentials Full Color Logo and Mark
IASME Consortium Self-Certified Logo
Online Trust Alliance Honor Roll Certification Logo

Global Cyber Alliance is a 501(c)(3) Nonprofit Organization

Copyright 2024 Global Cyber Alliance | Sitemap