Should I use the full certificate or a hash in TLSA records?

Always use a hash (SHA-256 recommended). Full data (matching type 0) creates very large DNS records that can cause UDP truncation issues. SHA-256 (matching type 1) produces a compact 64-character hex string.

Can I have multiple TLSA records for the same host?

Yes, and it's recommended for certificate rotation. Publish TLSA records for both the current AND future certificate before rotation. After the switch, remove the old one. This ensures zero downtime during the transition.

What certificate format does the generator accept?

The generator accepts PEM format (base64, starting with -----BEGIN CERTIFICATE-----). You can extract it from your mail server with OpenSSL: openssl s_client -connect mail.captaindns.com:25 -starttls smtp.

Free DANE TLSA Generator | Create TLSA Records for DANE

How to use this DANE TLSA generator

Generating a correct TLSA record takes three inputs: your certificate, the right parameters, and a DNSSEC-enabled domain. Get any of these wrong and DANE fails silently.

Step 1: Configure TLSA parameters

Choose parameters based on your deployment scenario:

Recommended configuration for SMTP:

Parameter	Recommended value	Reason
Certificate Usage	DANE-EE (3)	No PKIX validation needed
Selector	SPKI (1)	Survives renewals
Matching Type	SHA-256 (1)	Compact and secure
Port	25	Standard SMTP port

Step 2: Provide the certificate

Paste your certificate in PEM format:

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQON...
-----END CERTIFICATE-----

How to obtain the certificate:

# From your mail server via STARTTLS
openssl s_client -connect mail.captaindns.com:25 -starttls smtp 2>/dev/null | openssl x509

# From a file on the server
cat /etc/letsencrypt/live/mail.captaindns.com/cert.pem

Step 3: Copy and publish

The generator produces a complete, ready-to-publish DNS record:

_25._tcp.mail.captaindns.com.  IN  TLSA  3 1 1 2bb183af2e2b295b444c1fd4072f2b59a8c1c9abf7f3f1e9b0d4c7e8f1a2b3c4d

Copy the output and add it to your DNS zone. Ensure DNSSEC is active on the domain before publishing. Without DNSSEC, the TLSA record has no security value.

Step 4: Verify deployment

Run our DANE TLSA Checker to confirm the record is live, DNSSEC-signed, and matches your server certificate. Do not skip this step.

TLSA parameter guide

Choosing wrong parameters is the second most common DANE deployment error (after forgetting DNSSEC). This guide explains each field and when to use it.

Certificate Usage: which type to choose?

Usage	Name	When to use	Certificate rotation
0	PKIX-TA	Known CA + PKIX validation	Easy (same CA)
1	PKIX-EE	Exact certificate + PKIX	Difficult (DNS update)
2	DANE-TA	Known CA without PKIX	Easy (same CA)
3	DANE-EE	Exact certificate without PKIX	Medium (SPKI + key reuse)

For SMTP, DANE-EE (3) is the standard. Mail servers rely on DNSSEC for trust, making PKIX validation unnecessary. Choose DANE-TA (2) only if you need automatic certificate rotation tolerance.

Selector: Cert vs SPKI

Selector	Stability	Use case
Cert (0)	Changes on every renewal	Strict pinning, automated DNS management
SPKI (1)	Stable if same key	Recommended, especially with Let's Encrypt

SPKI (1) is recommended to reduce the frequency of DNS updates.

Matching Type: Full vs Hash

Matching	Record size	Security
Full (0)	Large (may truncate UDP)	Maximum
SHA-256 (1)	64 hex characters	Recommended
SHA-512 (2)	128 hex characters	Longer, no real benefit

SHA-256 (1) is the standard. Full data (0) creates DNS records that exceed the 512-byte UDP limit, causing truncation and lookup failures. Avoid it for SMTP.

Prerequisite: DNSSEC

Publishing a TLSA record without DNSSEC wastes time. Every compliant MTA ignores unsigned TLSA records. Complete these steps first:

Verify DNSSEC

Check that your registrar supports DNSSEC
Enable DNSSEC signing at your DNS host
Add DS records at your registrar
Wait for propagation (can take 24-48h)

DNS providers with DNSSEC

Provider	DNSSEC	Notes
Cloudflare	Yes (automatic)	One click in settings
AWS Route 53	Yes	Manual configuration required
OVH	Yes	Activation via manager
Google Cloud DNS	Yes	Manual configuration
Gandi	Yes	Automatic activation available

Deployment strategies

Certificate renewal breaks DANE if you do not plan ahead. Choose a strategy that matches your automation level.

Scenario 1: Let's Encrypt with key reuse

The simplest approach for DANE-EE deployments. Reusing the private key keeps the SPKI hash constant.

# Generate with key reuse
certbot certonly --reuse-key -d mail.captaindns.com

# TLSA record (stable across renewals)
3 1 1 <sha256-spki>

Result: The TLSA record never changes. Zero DNS maintenance after initial setup.

Scenario 2: Let's Encrypt with DANE-TA

Pin the CA instead of the server certificate. Best if you want zero DNS interaction.

# Pin the Let's Encrypt CA (ISRG Root X1)
2 0 1 <sha256-of-letsencrypt-ca>

Result: Every certificate signed by Let's Encrypt validates automatically. No DNS updates needed.

Scenario 3: Rotation with dual records

Publish both records before rotating the certificate. Requires coordination but works with any key strategy.

_25._tcp.mail.captaindns.com.  TLSA  3 1 1 <current-cert-hash>
_25._tcp.mail.captaindns.com.  TLSA  3 1 1 <future-cert-hash>

After rotation: Remove the old hash. Allow at least one TTL period before cleanup.

DNS publication by provider

Cloudflare

Go to your domain's DNS settings
Add a record:
- Type: TLSA
- Name: _25._tcp.mail
- Usage: 3
- Selector: 1
- Matching Type: 1
- Certificate: Your SHA-256 hash

AWS Route 53

Open the hosted zone
Create a record:
- Name: _25._tcp.mail.captaindns.com
- Type: TLSA
- Value: 3 1 1 <hash>
- TTL: 3600

OVH / Generic format

Go to the DNS zone
Add an entry:
- Subdomain: _25._tcp.mail
- Type: TLSA
- Target: 3 1 1 <hash>
- TTL: 3600

Complete email security with DANE

DANE protects one layer of email transport. Full protection requires three complementary protocols working together.

1. DANE (Certificate authentication via DNS)

Verifies the recipient server identity through DNSSEC-signed TLSA records. Prevents certificate forgery and MitM attacks.

Use this generator to create your TLSA record
Verify DANE deployment

2. MTA-STS (TLS enforcement via HTTPS)

Enforces TLS without requiring DNSSEC. Protects against senders that do not support DANE.

3. TLS-RPT (Failure reporting)

Collects TLS connection failure reports from both DANE and MTA-STS. Essential for detecting misconfigurations.

Recommended deployment order

Enable DNSSEC on the domain
Publish TLSA records (DANE) - use this generator
Configure TLS-RPT to receive failure reports immediately
Add MTA-STS as a fallback for non-DANE senders
Monitor TLS-RPT reports weekly to catch certificate rotation issues

FAQ - Frequently asked questions

Q: How do I create a DANE TLSA record?

A: Use our generator: select the usage type (DANE-EE recommended), selector (SPKI for stability), matching type (SHA-256), and paste your PEM certificate. The tool generates the complete DNS record ready to publish.

Q: Which certificate usage should I choose for DANE?

A: For most SMTP deployments, DANE-EE (3) with SPKI selector and SHA-256 matching is recommended. For easier certificate rotation, use DANE-TA (2) with your CA certificate.

Q: Should I use the full certificate or a hash?

A: Always use a SHA-256 hash. Full data (matching type 0) creates very large DNS records with UDP truncation risks. SHA-256 produces a compact 64-character string.

Q: What is the SPKI selector?

A: The SPKI selector (1) hashes only the public key of the certificate. The TLSA record remains valid when you renew with the same key pair, unlike the Cert selector (0) which changes on every renewal.

Q: How do I deploy a DANE TLSA record?

A: 1) Enable DNSSEC, 2) Add the TLSA at _25._tcp.yourmailserver, 3) Wait for DNS propagation, 4) Verify with our DANE TLSA Checker. The record must be DNSSEC-signed.

Q: How do I handle Let's Encrypt renewals with DANE?

A: Two strategies: DANE-TA (usage 2) with the Let's Encrypt CA certificate automatically survives renewals. DANE-EE (usage 3) with SPKI selector and --reuse-key in Certbot works too.

Complementary tools

Tool	Purpose
DANE TLSA Validator	Validate syntax before publication
DANE TLSA Checker	Verify the record after deployment
MTA-STS Generator	Create an MTA-STS policy (alternative TLS security)
TLS-RPT Generator	Enable DANE failure reporting
Email domain audit	Complete email authentication audit

Useful resources

RFC 6698 - DANE TLSA (original specification)
RFC 7671 - Updates to DANE (operational updates)
RFC 7672 - SMTP Security via DANE (DANE for SMTP)
Certbot - Reuse Key (key reuse for DANE)
Microsoft - DANE with DNSSEC (Exchange Online guide)

DANE TLSA Generator

Create TLSA records to secure your SMTP connections

PEM certificate support

All TLSA parameters

Ready to copy-paste

Built-in validation

DNSSEC deployment guide