DNSSEC with TLSA/DANE for mail sub-domain with MTA-STS and TLSRTP TXT record?

Recently I have successfully setup DNSSEC on my domain on CloudFlare.

Moreover, for mail server I am using Let’s Encrypt SSL certificate.

I have also correctly added TLSA records, and even published TXT records for MTA-STS and TLSRTP.

I just wonder, as far as the added TLSA and TXT records are for @ domain.com, but not for sub.example.com.

so for example, TLSA for mail.example.com is not added, but TLSA for example.com is.

So, it means that TLSA/DANE is wrong configured?
Should I have for both @ and sub.example.com as mail sub-domain?
Or only @?
Or only sub.example.com?

So it should be like:

Also what about MTA-STS and TLSRTP?
Should the TXT records with prefix be on @, or they should only or also be added as sub.example.com?
_smtp._tls.mail.example.com instad of _smtp._tls.example.com
_mta-sts.mail.example.com instad of _mta-sts.example.com

When using tools:

All pass. All green. Reports comming successfully to my e-mail. E-mails on the server are working fine with setup like:
TLSA _993._tcp.mail.example.com
TLSA _587._tcp.mail.example.com
TLSA _465._tcp.mail.example.com
TLSA _995._tcp.mail.example.com
TLSA _25._tcp.mail.example.com
TLSA _110._tcp.mail.example.com
TLSA _143._tcp.mail.example.com
TXT _smtp._tls.example.com
TXT _mta-sts.example.com

Also, I have added:
CNAME autodiscover
CNAME autoconfig
SRV _autodiscover._tcp
A mta-sts.example.com
MX for example.com goes to mail.example.com
A mail.example.com
TXT for SPF, DKIM default._domainkey and DMARC _dmarc

Thank you for some explanation and help!

Like here:

Should It be like:

_smtp._tls.mail.example.com.	IN	TXT	"v=TLSRPTv1;rua=mailto:[email protected]"

Or this:

_smtp._tls.example.com.	IN	TXT	"v=TLSRPTv1;rua=mailto:[email protected]"

The same question goes for TLSA and TXT _mta-sts records.

Google source here, should be good with _smtp._tls.example.com:

Mine is just _smtp._tls, probably because it should match the domain name, and not the mail server.

This guy knows a thing or two about stuff like this:

And I believe that TLSA should match the hostname you’re securing. I have several 443 entries due to subdomains. As for TXT, it looks like you’re securing the root domain’s email, not the mail server, so no subdomains on those.

And now my head is swimming a bit. Hopefully this is right, but a fresh pair of eyes might spot any mistakes.

1 Like

Yes, I think too. Thanks for the link.

TLSA, right. The hostname.

So as far as If I only want to have TLSA/DANE for my mail sub-domain, then I should use as stated for example like _port._tcp.mail.example.com.

Moreover, due to the TXT records, _smtp._tls and _mta-sts, yes the should go to the @ of the example.com domain.

Here is an example what I have if anyone will ever need some kind of it or even better approach.


  1. DNSSEC enabled on the domain.

  2. Server with Dovecot and Postfix configured and open for ports 25, 110, 143, 587, 465, 995, 993 (POP3/S, SMTP/S, IMAP/S).
    Having TLS v1.2 as minimum with value, from the parameters for smtp tls security “dane” and smtpd tls security “may” (testing, works if other have, if not, goes back to SSL only), smtp dns support “dnssec” and etc. needed to work for SSL and TLS with DANE including SSL certificate.

  3. Wanting the TLSA/DANE only on mail sub-domain which is pointed to the different IP address than the Website records are pointed (A @ and A www records).

  4. Regarding Microsoft Outlook “pop-up about SSL certificate name” when connecting and other e-mail clients, due to the SAN in the Let’s Encrypt SSL Certificate name being different CN, to have multiple “mail sub-domains” on the same SSL certificate I have to use autoconfig and autodiscover CNAME records too and SRV autodiscover pointing to my mail sub-domain.
    More info at: https://support.microsoft.com/en-us/help/2772058/the-name-on-the-security-certificate-is-invalid-or-does-not-match-the and https://docs.microsoft.com/en-us/outlook/troubleshoot/connectivity/suppress-autodiscover-mismatch-warning

  5. Also wanting to try out the feature of MTA-STS and SMTP TLSRPT.

  6. Also having SPF, DMARC and DKIM added.

  7. Here is my final as for now, working:

;; A Records
mail.example.com.      1   IN  A
mta-sts.example.com.   1   IN  A
www.example.com        1   IN  A
example.com            1   IN  A

;; CNAME Records
autoconfig.example.com.    1   IN  CNAME   mail.example.com.
autodiscover.example.com.  1   IN  CNAME   mail.example.com.

;; MX Records
example.com.   1   IN  MX  10 mail.example.com.

;; SRV Records
_autodiscover._tcp.example.com.    1   IN  SRV 0 0 443 mail.example.com.

;; TLSA Records
_110._tcp.mail.example.com.    1   IN  TLSA    3 1 1 HASH_VALUE
_143._tcp.mail.example.com.    1   IN  TLSA    3 1 1 HASH_VALUE
_25._tcp.mail.example.com.     1   IN  TLSA    3 1 1 HASH_VALUE
_465._tcp.mail.example.com.    1   IN  TLSA    3 1 1 HASH_VALUE
_587._tcp.mail.example.com.    1   IN  TLSA    3 1 1 HASH_VALUE
_993._tcp.mail.example.com.    1   IN  TLSA    3 1 1 HASH_VALUE
_995._tcp.mail.example.com.    1   IN  TLSA    3 1 1 HASH_VALUE

;; TXT Records
default._domainkey.example.com.   1   IN  TXT "v=DKIM1; t=s; p=HASH_DKIM_VALUE"
_dmarc.example.com.               1   IN  TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"
_mta-sts.example.com.             1   IN  TXT "v=STSv1; id=202026091740"
_smtp._tls.example.com.           1   IN  TXT "v=TLSRPTv1; rua=mailto:[email protected]"
example.com.                      1   IN  TXT "v=spf1 a mx ip4: ~all"

Where A record for mail is grayed out, also the CNAME records grayed out and A record for MTA-STS and @ and WWW are orange.

Little bit of and kind of a strange combination because using a CloudFlare Flexible SSL for Website and Let’s Encrypt SSL certificate for mail only.

  1. My MTA-STS policty is also “testing” as for now.
version: STSv1
mode: testing
mx: mail.example.com
max_age: 86401

As far as, It all works for now :slight_smile:

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.