What is this?
DANE/TLSA (RFC 6698) binds an X.509 certificate to a DNS name by publishing a hash of the
cert (or its SubjectPublicKeyInfo) as a DNS record. For SMTP-DANE (RFC 7672) the record
lives at _25._tcp.<mx-host> and lets sending MTAs detect MITM attacks on inbound
mail. This tool resolves the MX records of a domain, probes STARTTLS against each MX to capture
the EE certificate, fetches the TLSA records via dig and checks whether the cert matches one of
the published records.
When do I need it?
Before publishing your first TLSA record, after rotating a cert (to confirm the TLSA still matches), or when a receiving MTA reports DANE failures in TLS-RPT. Pair with the MTA-STS validator for the redundant policy layer.