Can I run both DANE and MTA-STS?

Yes, and major senders are starting to support both. DANE wins if both are present (per current best practice).

TLS

DANE/TLSA: DNSSEC-anchored TLS for SMTP

DANE for SMTP publishes a TLSA record that pins your certificate (or CA) in DNS. It requires DNSSEC on the entire chain.

Prerequisites

DNSSEC must be enabled on your domain, the MX hostname's parent zone, and the MX hostname itself. Without DNSSEC the TLSA record is unverifiable and ignored.

Record format

_25._tcp.<mx-hostname> TLSA <usage> <selector> <matching-type> <data>. Most senders use 3 1 1 (DANE-EE with SPKI sha256), which pins the public key directly and survives CA changes without record updates.

When to choose DANE vs MTA-STS

MTA-STS is easier to deploy and doesn't require DNSSEC, so it's the default. DANE is stronger (no reliance on the public CA system) but only useful if you've already deployed DNSSEC.

Frequently asked questions

Can I run both DANE and MTA-STS?: Yes, and major senders are starting to support both. DANE wins if both are present (per current best practice).

Related guides

MTA-STS: enforcing TLS for inbound mail

TLS

TLS-RPT: collecting SMTP TLS failure reports

TLS