Email services protected by DANE protocol

Email services at ACTIVE 24 are protected by the DANE protocol. What does it mean?

Both incoming and outgoing emails are encrypted during SMTP communication between mail servers whenever the counterparty supports it and automatically validates the validity of the certificate. If the certificate was not valid (for example, it was faked by a potential attacker), the email will not be delivered and the attacker will not get it. This effectively prevents not only the passive interception of postal communications, but also prevents the active MITM attack.

What do I have to do to use security with DANE?

Just have email services set up as recommended to use the correct MX records and our SMTP servers for outgoing mail. Additionally your domain must have DNSSEC service enabled. (Ask our customer support to enable it, if this is not by default for your TLD. DNSSEC service is free of charge.)

How does certificate validation work?

A different certificate validation principle has been applied on email services compared to HTTPS in web browsers. Using the TLSA record we publish our certificate fingerprint in DNS and its integrity is guaranteed by DNSSEC technology. Verification is thus completely independent of the certification authority system. ACTIVE24 mail exchange servers publicly declare via DNS and require the counterparty to use encryption and validate our certificate with every SMTP communication. We also do the same in the opposite direction of communication.