DANE/TLSA validator

Per RFC 6698 + 7672

Checks TLSA records for MX records, gets the server certificate via STARTTLS and verifies whether a TLSA match exists.

What is this, and when do I need it?

What is this?

DANE/TLSA (RFC 6698) binds an X.509 certificate to a DNS name by publishing a hash of the cert (or its SubjectPublicKeyInfo) as a DNS record. For SMTP-DANE (RFC 7672) the record lives at _25._tcp.<mx-host> and lets sending MTAs detect MITM attacks on inbound mail. This tool resolves the MX records of a domain, probes STARTTLS against each MX to capture the EE certificate, fetches the TLSA records via dig and checks whether the cert matches one of the published records.

When do I need it?

Before publishing your first TLSA record, after rotating a cert (to confirm the TLSA still matches), or when a receiving MTA reports DANE failures in TLS-RPT. Pair with the MTA-STS validator for the redundant policy layer.

Server path: this tool does NOT run browser-local. We fetch MX and TLSA records via our server and open a real SMTP connection on port 25 to each MX host to grab the live certificate via STARTTLS. We do not log the domain or the result. 12 requests per minute per IP.

Try: · ·