Skip to main content

DANE / TLSA Record Generator

Paste your MX server's certificate (PEM format) and we'll output the standard DANE-EE / SPKI / SHA-256 (3 1 1) TLSA record. That's the recommended profile for SMTP DANE: it pins the certificate's public key (so the cert can be re-issued without breaking the record) and uses SHA-256 (universally supported). We compute the hash on our server from the certificate you paste, over an encrypted connection, and never store or log it.

Use the leaf certificate for your MX host. openssl s_client -connect mail.example.com:25 -starttls smtp -showcerts shows it.

Why 3 1 1?

The three numbers are usage, selector, and matching type. 3 (DANE-EE) means "this hash is the leaf cert". Bypasses CA validation entirely. 1 (SPKI) hashes the SubjectPublicKeyInfo, which lets you re-issue the cert without changing the TLSA record as long as you keep the same key. 1 (SHA-256) is the universally-supported hash. Other profiles exist (e.g. 2 1 1 DANE-TA) but 3 1 1 is the most operationally friendly for SMTP.