
MTA-STS and DANE both make TLS mandatory for email transport, yet they secure the connection in fundamentally different ways. This guide compares trust anchors, the DNSSEC requirement, trust on first use, operational effort and adoption, then gives clear decision guidance and explains why Conbool MailGuard runs both inbound and outbound.
Die neuesten Beiträge aus unserem Blog.

MTA-STS oder DANE? Beide Standards machen die Transportverschlüsselung verbindlich, setzen aber auf unterschiedliche Vertrauensanker. Dieser Vergleich erklärt die Unterschiede bei DNSSEC, Trust on…

MTA-STS für Microsoft 365 einrichten: Diese Anleitung erklärt, warum Exchange Online die Richtliniendatei nicht selbst bereitstellt, welche DNS-Einträge und HTTPS-Subdomäne nötig sind und wie der…
Email transport was never encrypted by default. For years, the protocol STARTTLS has tried to fill that gap, but it is opportunistic: if encryption is unavailable or an attacker strips the signal, the message quietly travels in plain text. Two standards exist to make TLS mandatory and remove that escape hatch: MTA-STS and DANE. They share the same goal, yet they secure the connection in fundamentally different ways.
This guide compares the two side by side. You will see how each one anchors trust, why DNSSEC is the dividing line, what trust on first use means for MTA-STS, and when it makes sense to run both. If you only need the basics of either standard, the dedicated guides on MTA-STS and DANE cover them in detail.
TL;DR: MTA-STS and DANE both force email to be delivered over verified TLS and both close the downgrade gap left by opportunistic STARTTLS. The difference is the trust anchor. DANE binds the exact server certificate through a TLSA record and requires DNSSEC. MTA-STS publishes a CA-trusted policy over HTTPS and works without DNSSEC. If you have DNSSEC, run both. If you do not, start with MTA-STS. For the highest assurance against a malicious network, DANE is the stronger anchor.
To understand why two standards exist, you need the context of STARTTLS. When two mail servers connect over SMTP, STARTTLS lets them upgrade the plain connection to an encrypted one, but only if both sides agree. There is no binding expectation that encryption happens, which opens two well known weaknesses:
MTA-STS and DANE both fix this by turning encryption into a requirement and by demanding that the destination prove its identity. They simply disagree on how that proof should be anchored.
DANE, defined in RFC 7672 for SMTP, publishes a TLSA record in DNS that pins the certificate or public key of your mail server. A sending server looks up that record, then checks that the certificate presented during the TLS handshake matches the published fingerprint. Because anyone could forge a DNS answer, DANE depends on DNSSEC to sign the record. Without DNSSEC the TLSA record cannot be trusted, so DNSSEC is not optional, it is the foundation. The payoff is a tight binding that is trusted on every lookup, including the very first contact, and that does not depend on the global certificate authority system.
MTA-STS, defined in RFC 8461, takes a different route. A short DNS TXT record signals that a policy exists, and the policy itself is served as a file on an HTTPS subdomain such as mta-sts.your-domain.com. The policy lists the permitted mail servers, the mode and a validity period. A sending server fetches it over HTTPS, caches it, and then requires the destination certificate to be valid against the public certificate authorities, the same trust chain that secures the web. MTA-STS needs no DNSSEC, which is its main practical advantage, but the trade-off is the trust-on-first-use behaviour described below.
| Criterion | DANE | MTA-STS |
|---|---|---|
| Trust anchor | TLSA fingerprint pinned in DNS | Public certificate authorities |
| DNSSEC requirement | Mandatory | Not required |
| First-contact behaviour | Trusted immediately on first lookup | Trust on first use, then cached |
| Policy transport | Signed DNS records | HTTPS policy file plus DNS hint |
| Operational effort | DNSSEC plus TLSA kept in sync with certificate changes | HTTPS host with a valid, renewing certificate |
| Independence from the CA system | Yes | No |
| Adoption among large providers | Strong in parts of Europe, partial elsewhere | Broad, including major mailbox platforms |
The row that decides most setups is the DNSSEC requirement. DANE cannot exist without it, and many domains and DNS providers still do not offer DNSSEC. MTA-STS removes that prerequisite, which is exactly why broad mailbox platforms adopted it. Where both are available, they reach different sets of sending partners, so the two together cover more of your inbound traffic than either alone.
The phrase trust on first use, or TOFU, is the most important subtlety in this comparison. The first time a sending server delivers to your domain, it does not yet know your MTA-STS policy. It fetches the policy, validates it over HTTPS and then caches it for the validity period. During that initial fetch, an attacker who fully controls the network path could, in theory, prevent the policy from being seen, so the very first contact carries a small residual risk. Once the policy is cached, that window is closed until it expires.
DANE does not have this gap. Because the TLSA record is signed by DNSSEC, a sending server can trust it on every lookup, including the first one, without a prior cached state. For most organisations the MTA-STS window is acceptable, particularly with a long cache lifetime, but if you operate in a high-assurance environment, this is precisely where DANE earns its reputation as the stronger anchor.
You do not always have to pick a single standard. Use this decision guidance:
In every case, pair your choice with TLS-RPT reporting so you can see which partners encrypt cleanly before and after you enforce.
This is not just a vendor preference. Germany's BSI addresses secure email transport in its Technical Guideline TR-03108 and names MTA-STS, DANE and TLS-RPT together as building blocks. The guideline does not frame the two enforcement standards as an either-or choice. It treats them as complementary layers: DANE for the strong, DNSSEC-anchored binding, MTA-STS for the broad reach across providers that have not deployed DNSSEC. Running both is therefore the configuration that best matches the state of the art, which also supports compliance arguments under the NIS2 obligations and Article 32 GDPR.
The reason most teams pick one standard is effort, not preference. DANE means keeping DNSSEC healthy and rotating TLSA records in lockstep with every certificate change, where a single mismatch can defer legitimate mail. MTA-STS means hosting a policy file on an HTTPS subdomain with a certificate that never silently expires. Doing both, in both directions, by hand is where setups break.
Conbool MailGuard removes that burden. It serves your MTA-STS policy on a managed HTTPS subdomain, keeps the TLSA records aligned with your certificate rollovers, applies both standards to inbound and outbound traffic, and collects the matching TLS reports in one console. The managed details for each standard live on the MTA-STS and DANE / TLSA pages, and you can see the current state of any domain first with the free transport security check.
Both standards make TLS mandatory for email transport, but they anchor trust differently. DANE binds the exact certificate or public key of a mail server through a signed TLSA record and depends on DNSSEC. MTA-STS publishes a policy over HTTPS and relies on the trust chain of public certificate authorities, so it works without DNSSEC. In short, DANE trusts a fingerprint validated by DNSSEC, while MTA-STS trusts a CA-signed certificate validated over HTTPS.
Yes, and for many domains that is the recommended setup. The two standards do not conflict. A sending server that supports DANE will use the TLSA record, while a server that only supports MTA-STS will follow the published policy. Running both maximises the share of partners that deliver to you over enforced TLS, which is why the BSI recommends the parallel approach in TR-03108.
If your domain or DNS provider does not support DNSSEC, choose MTA-STS. DANE strictly requires DNSSEC, because the TLSA record must be cryptographically signed to be trustworthy. MTA-STS has no such requirement: it validates the destination certificate against public certificate authorities and protects the policy through HTTPS. You can add DANE later once DNSSEC is in place.
Trust on first use, often shortened to TOFU, describes how a sending server learns an MTA-STS policy for the first time and then caches it. During that very first contact the policy is not yet known, so an attacker who fully controls the network could in theory hide it. After the policy is cached, that window closes for its validity period. DANE avoids this gap because the TLSA record is signed by DNSSEC and trusted on every lookup, including the first one.
Not in practice, especially with a managed service. DANE needs DNSSEC plus TLSA records that stay in sync with every certificate rollover, while MTA-STS needs an HTTPS policy host with a valid certificate. Conbool MailGuard automates both, keeping TLSA records aligned with certificate changes, serving the MTA-STS policy and collecting the TLS reports in one place, so enabling the second standard adds little ongoing work.
MTA-STS and DANE are not rivals so much as two anchors for the same promise: email leaves and arrives over verified, enforced TLS, never silently in plain text. DANE offers the tighter, DNSSEC-signed binding that is trusted from the very first lookup. MTA-STS offers broad reach without a DNSSEC prerequisite, at the cost of a small trust-on-first-use window. The strongest posture, and the one the BSI recommends, is to run both wherever DNSSEC allows.
The next step is yours: check your domain with the free transport security check and see how Conbool MailGuard operates both standards inbound and outbound for you.
Further reading: