Deep Discovery Email
Inspector supports DANE
(DNS-based Authentication of Named Entities) to secure outbound messages by verifying
SMTP server
identity.
You can specify the DANE or DANE-only security level for outbound messages. For more
information, see Configuring TLS Settings for Outgoing
Messages.
The following tables show the actions performed on outbound messages depending on
the DNS and
TLSA records and verification results.
DANE-only
|
MX Record
|
A Record
|
TLSA
|
Certificate Verification
|
DANE Verification
|
Action
|
|
Secure
|
Secure
|
Secure
|
Successful
|
Successful
|
Deliver
|
|
Secure
|
Secure
|
Secure
|
Unsuccessful
|
Unsuccessful
|
Defer (server certificate not trusted)
|
|
Secure
|
Secure
|
Insecure
|
N/A
|
Unsuccessful
|
Defer (non-DNSSEC destination)
|
|
Secure
|
Secure
|
NXDOMAIN
|
N/A
|
Unsuccessful
|
Defer (no TLSA record)
|
|
Secure
|
Secure
|
Bogus
|
N/A
|
Unsuccessful
|
Defer (TLSA lookup error)
|
|
Secure
|
Insecure
|
N/A
|
N/A
|
Unsuccessful
|
Defer (non-DNSSEC destination)
|
|
Secure
|
Bogus
|
N/A
|
N/A
|
Unsuccessful
|
Defer (host or domain name not found)
|
|
Insecure
|
Secure
|
Secure
|
Successful
|
Unsuccessful
|
Defer (non-DNSSEC destination)
|
|
Insecure
|
Secure
|
Secure
|
Unsuccessful
|
Unsuccessful
|
Defer (non-DNSSEC destination)
|
|
Insecure
|
Secure
|
Insecure
|
N/A
|
Unsuccessful
|
Defer (non-DNSSEC destination)
|
|
Insecure
|
Secure
|
NXDOMAIN
|
N/A
|
Unsuccessful
|
Defer (non-DNSSEC destination)
|
|
Insecure
|
Secure
|
Bogus
|
N/A
|
Unsuccessful
|
Defer (non-DNSSEC destination)
|
|
Insecure
|
Insecure
|
N/A
|
N/A
|
Unsuccessful
|
Defer (non-DNSSEC destination)
|
|
Insecure
|
Bogus
|
N/A
|
N/A
|
Unsuccessful
|
Defer (host or domain name not found)
|
|
Bogus
|
N/A
|
N/A
|
N/A
|
Unsuccessful
|
Defer (host or domain name not found)
|
DANE
|
MX Record
|
A Record
|
TLSA
|
Certificate Verification
|
DANE Verification
|
Action
|
|
Secure
|
Secure
|
Secure
|
Successful
|
Successful
|
Deliver
|
|
Secure
|
Secure
|
Secure
|
Unsuccessful
|
Unsuccessful
|
Defer (server certificate not trusted)
|
|
Secure
|
Secure
|
Insecure
|
N/A
|
Unsuccessful
|
Fall back to opportunistic TLS
|
|
Secure
|
Secure
|
NXDOMAIN
|
N/A
|
Unsuccessful
|
Fall back to opportunistic TLS
|
|
Secure
|
Secure
|
Bogus
|
N/A
|
Unsuccessful
|
Defer (TLSA lookup error)
|
|
Secure
|
Insecure
|
N/A
|
N/A
|
Unsuccessful
|
Fall back to opportunistic TLS
|
|
Secure
|
Bogus
|
N/A
|
N/A
|
Unsuccessful
|
Defer (host or domain name not found)
|
|
Insecure
|
Secure
|
Secure
|
Successful
|
Unsuccessful
|
Fall back to opportunistic TLS
|
|
Insecure
|
Secure
|
Secure
|
Unsuccessful
|
Unsuccessful
|
Defer (server certificate not trusted)
|
|
Insecure
|
Secure
|
Insecure
|
N/A
|
Unsuccessful
|
Fall back to opportunistic TLS
|
|
Insecure
|
Secure
|
NXDOMAIN
|
N/A
|
Unsuccessful
|
Fall back to opportunistic TLS
|
|
Insecure
|
Secure
|
Bogus
|
N/A
|
Unsuccessful
|
Defer (TLSA lookup error)
|
|
Insecure
|
Insecure
|
N/A
|
N/A
|
Unsuccessful
|
Fall back to opportunistic TLS
|
|
Insecure
|
Bogus
|
N/A
|
N/A
|
Unsuccessful
|
Defer (host or domain name not found)
|
|
Bogus
|
N/A
|
N/A
|
N/A
|
Unsuccessful
|
Defer (host or domain name not found)
|