TLSA Validation Failed

Bjørn Mork bjorn at
Tue Jul 28 15:34:23 CEST 2015

Mark Elkins <mje at> writes:

> For email - you need a TLSA 311 Certificate.

Care to explain why?  I am sure I'm missing something here, but this
isn't obvious to me.

And does "email" mean SMTP or POP/IMAP or all of them?

Until now I've just used the same private self-signed CA certificate for
all services, and just created aliases to a common TLSA 2 0 1 record.
This appeared to work fine, but then again: I don't know how I would
detect a failure...  There aren't that many validating email clients out

How do you test and validate TLSA records for SMTP, POP and IMAP?


More information about the dane-users mailing list