Enforce DANE

DANE is DNS-based Authentication of Named Entities, it provides a mechanism (using TLS Encryption) to validate that a DNS query returns the data provided by the domains authoritative name server.

DANE enables the administrator of a domain name to certify the keys used in that domain's TLS clients or servers by storing them in the Domain Name System (DNS).

DANE needs the DNS records to be signed with DNSSEC for its security model to work.


The following requirements must be met by you prior to contacting our support team.

  • Configure DNSSEC for MX records
  • Be an admin for the domain's MX record(s), A record, TLSA record, and any associated CNAME records by DNSSEC
  • Add TLSA DNS records

Enforcing DANE

By default, the Exim parameter host_try_dane is configured for all connections. If you want to enforce DANE as a strict requirement, this needs to be set up explicitly by our Support team.

Information to Provide

Please contact Spam Experts support to have DANE enforcement enabled with answers to the following questions:

  • Which direction of mail do you want to enforce?
    • Incoming
    • Outgoing
  • Which filtering nodes of the local cloud would you like the DANE enforcement enabled on?
  • Which filtered domains on your cluster would you like the enforcement on?

Once we have the answers to the above, we can assist you to get this set up.