Announce: Smtp Dane Verify – Self-Monitor Your Dane Policy
Posted11 days ago
github.comDevopsstory
informativepositive
Debate
0/100
DaneSmtpCybersecurityDevops
Key topics
Dane
Smtp
Cybersecurity
Devops
Discussion Activity
Light discussionFirst comment
N/A
Peak period
1
Start
Avg / period
1
Key moments
- 01Story posted
Dec 26, 2025 at 9:01 AM EST
11 days ago
Step 01 - 02First comment
Dec 26, 2025 at 9:01 AM EST
0s after posting
Step 02 - 03Peak activity
1 comments in Start
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 26, 2025 at 9:01 AM EST
11 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 46392053Type: storyLast synced: 12/26/2025, 2:05:18 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
In the hopes of bringing more awareness to DANE, and how to implement (and monitor, which is key!) DANE on large and small mail servers, the friendly folks at sys4.de have published a tool to help monitoring DANE.
May DANE spread far and wide - and may your self-signed certificates be verified and trusted via your DNSSEC-authenticated DNS records!
From a post by Patrick Ben Koetter to the DANE mailing list at sys4.de [0]:
Greetings!
Our this year's Christmas gift to the community is a service that let’s you monitor and detect typical DANE related problems for DANE-enabled inbound SMTP services. You can integrate the service in your own service environment or run it as a docker container and poll it for test results from a monitoring service.
## Why? We believe every platform should enable and use DANE. DANE is the missing piece in TLS or as Wietse Venema once put it: „Encryption without authentication is not 'security'. It just gives some privacy.“ DANE adds the missing authentication bit. But DANE enforces strict policy and if your platform fails inbound DANE-verification you will not receive email from those platforms that enforce outbound DANE-verification. A failing DANE policy imposes a production risk.
## Why would your platform fail DANE verification? From discussions with Viktor about the statistics he generates at https://stats.dnssec-tools.org/#/ we know that in most cases, when DANE-enabled platforms fail DANE-verification, it is because the published TLSA resource record(s) in DNS do not match one of the x509 certificate's fingerprint.
We want everybody to benefit from the security DANE adds to TLS and not have people look at it as a production risk! This is why we built the SMTP DANE Verify service. It will test and detect common DANE policy problems. Using SMTP DANE Verify everybody will be able to monitor their own (and other) domains and raise an alarm in case the tested domain fails DANE verification.
## How would you use SMTP DANE Verify? If you think SMTP DANE Verify is for you check out the project at https://github.com/sys4/smtp-dane-verify. The project's README should give you all the information you need to setup, run and integrate SMTP DANE Verify on your platform.
On a sidenote: In case you are still in doubt if anyone should be using DANE at all: the EU has launched a Multi-Stakeholder Working Group for Internet Standards in the EU and DANE is a major item on the groups roadmap. Follow this link to read more: https://digital-strategy.ec.europa.eu/en/news/european-commi......
And that's it! We hope you will find it as useful as we do. Season greetings to all of you. Peace on earth to all of us. o:)
p@rick
[0]: https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de...