Use DANE to secure email communication.
By default, SMTP is unencrypted and could allow a malicious attacker from eavesdropping on email communications. DANE and TLSA records secure SMTP email by confirming the identity of a mail-exchange server.
The problems with SMTP
- MX records, A records, and other DNS resource records can be spoofed
- Malicious attackers can easily eavesdrop on email communication as SMTP is unencrypted and unauthenticated
SMTP encryption is an option but it must be enabled by the sender and the receiver, and even then a man-in-the-middle can circumvent this by spoofing an unencrypted DNS server and redirecting the traffic to a malicious domain.
DANE and DNSSEC solve the SMTP problem
- DNSSEC lets you trust the mail-exchange server and trust that the TLSA record is accurately pointing to the right certificate
- DANE's TLSA record identifies the certificate or the CA
- Security across the email communication is enforced