Skip to main content

Unable to the TLSA record for the email server

· 2 min read
Comorin Consulting Services pvt. ltd.
Comorin Consulting Services pvt. ltd.
CCS

My Domain provider does not allow me to set the TLSA for the domain, what are the consequences of this?

Not setting a TLSA (Transport Layer Security Authentication) record for email means you are not implementing DANE (DNS-based Authentication of Named Entities), which is an optional, high-security protocol used to verify that a mail server’s TLS certificate is legitimate.

When TLSA records are missing, your email system relies solely on traditional, less secure methods, making it susceptible to specific, sophisticated attacks.

Primary Consequences of Not Setting TLSA

  • Vulnerability to "Machine-in-the-Middle" (MITM) Attacks: Without a TLSA record to pin a specific certificate to your DNS, a malicious actor can intercept communication between mail servers and present a fraudulent certificate, allowing them to decrypt or alter emails in transit.

  • Susceptibility to STARTTLS Downgrade (STRIPTLS) Attacks: Attackers can strip the "STARTTLS" capability from the server connection, forcing mail to be sent in plain text (unencrypted), even if both servers actually support encryption.

  • Reliance on Less Secure Certificate Validation: Instead of verifying the certificate directly against your DNSSEC-protected records, your server will rely on Certificate Authorities (CAs). If a CA is compromised, hackers can issue a fake, but technically valid, certificate for your domain.

  • Reduced Trust Level: High-security, DANE-aware sending servers (like those at some financial or government institutions) may consider your domain less trustworthy or, in some cases, refuse to connect if they expect DANE security but find no record.

What Still Happens (The "Fallback")

It is important to note that not having a TLSA record does not mean your email will bounce or not be delivered.

  • Opportunistic TLS: Your email will likely still be encrypted using standard TLS (if both servers support it). This protects against casual eavesdropping but not against an active, targeted, active attacker.

  • No Disruption to Daily Flow: For the vast majority of current internet traffic, this has no immediate impact on email delivery rates.