As of 2019, email is still generally transmitted without proper transport encryption. DANE is a proposed standard that has the potential to make widespread email transport encryption a reality.
DANE for SMTP does not only provide a trust scheme (like the certificate authority system) using DNSSEC, but also the means to know if a domain supports encrypted email transfer. Halon supports DANE since 2015.
DANE is only available over
and uses the
TLSA record type.
An email server (MTA) only needs to make one extra DNS query to use DANE, namely
$ dig freebsd.org mx +short
$ dig _25._tcp.mx1.freebsd.org tlsa +short
3 1 1 0A7E2F469913EA64CA98AF...
and the server's certificate is compared against the DNS record. The output (logs) from a Halon system with and without DANE look like
Halon's DANE implementation is based on the NLnet Labs ldns library's DANE functions (which are included in FreeBSD). Outbound SMTP connections are handled by our DANE-enabled SMTP client, which is used by both standard functions such as