Encryption for all emails: Tuta uses DANE, DNSSEC, and MTA-STS for maximum security

Protecting your data doesn't stop with end-to-end encryption. Tuta uses leading security protocols to protect web traffic and your standard email delivery.

Tuta is the world's most secure email service: On top of our default post-quantum end-to-end encryption, Tuta uses DANE, DNSSEC, DMARC, DKIM, MTA-STS, SPF & TLS to protect your data.


We’ve talked a lot about our world’s first post-quantum email encryption and how it protects your emails to a greater degree than any other email provider, but keeping your data secure doesn’t stop with our end-to-end email encryption alone. That’s why we are proud to deploy a number of additional security protocols to ensure that your connections to our site are secure and that your emails take advantage of authentication and verification technologies.

Ensuring that Tuta.com cannot be spoofed

We put your privacy first and have been using these additional security measures, unlike Google who only started requiring them in 2024. This is privacy you can trust.

What is DANE for email?

DNS-based Authentication of Named Entities (DANE) is an internet security protocol that binds digital certificates to domain names using Domain Name System Security Extensions (DNSSEC). It is used for Transport Layer Security (TLS), and is particularly important for email security.

Tuta is one of the few email services that already supports DANE. DANE protects your emails while in transit by taking advantage of DNSSEC to certify the keys being used between clients and servers within TLS by cementing them as verifiable DNS records. The DANE protocol makes email communication much more secure and should be implemented by all mail providers. Tuta supports DANE on the mail server, which adds another level of security to the communication with other email services that also support DANE.

We have introduced DANE to help provide a secure means of verifying certificates. This reduces the risk of fraudulent certificate attacks by actors who might be trying to create a credential phishing site pretending to be Tuta. DANE is dependent upon another set of security extensions known as Domain Name System Security Extensions or DNSSEC. DNSSEC protects against forged DNS cache poisoning attacks which seek to force traffic to non-official pages. DNSSEC digitally signs the DNS records for a domain using asymmetric cryptography and the keys are generated and kept by the domain owner.

It is crucial that we include these additional security settings because pure DNS alone is not secure. Cache poisoning attacks, also known as DNS spoofing, take advantage of DNS’s weak security posture and can allow attackers to redirect users from legitimate sites to one which they control. This kind of man-in-the-middle attack can be used for harvesting login information for credential stuffing attacks.

On our security page you can learn more on the security of Tuta.

Why DANE is crucial for protecting your emails and domains

On top of encrypting your data using Tuta’s post-quantum encryption, using DANE adds an extra layer of security. It cannot be stated enough that using DANE to protect your custom domain is essential. If you are not taking advantage of these free additional security measures, you are placing a target on your domain for spammers and other malicious actors. By using DANE to verify and approve the keys used in TLS you are protecting your emails even when they are being sent without quantum resistant end-to-end encryption. Spam bots and malicious actors love to pick the low-hanging fruit, if you take the additional steps to add DANE DNS records to your custom domain you are setting yourself above and beyond the security posture of your peers. These changes only take a few minutes, but will save you hours of headache should spammers try to spoof your custom domain.

Protecting Emails with and without end-to-end encryption

Next to the built-in encryption, Tuta also uses best-in-class TLS encryption to secure your emails if you choose not to use the default end-to-end encryption. You can check our high level of transport encryption on SSL Labs and Security Headers.

We also integrated complete MTA-STS support for custom domains so that also our paying users can secure their own domain emails in the best way possible. MTA-STS uses TXT records which are added to your domain’s DNS configuration settings which set rules forcing mail servers to only use secure channels. By combining MTA-STS with our other DNS security measure like SPF, DKIM, and DMARC we can guarantee that your emails are sent with the highest possible degree of security. We even support DKIM for your custom domain.

More security improvements are on the way

The cyber threat landscape is always changing and evolving. As defenders of your data that means we too must keep working and improving our security stance. That’s why our cryptography team is working towards the introduction of perfect forward security to further strengthen our post-quantum email encryption. With perfect forward security you will have mathematical assurance that your conversation session keys won’t become compromised even in the event that long-term elements used in the session keys are compromised. This means that your past conversations will still remain securely encrypted even in the event of a key compromise. This level of security surpasses that of PGP which cannot offer forward secrecy, thus leaving you potentially exposed.

When it comes to security and protecting your data, don’t settle for less.

Start using the world’s most secure email service today!

Register your own secure mail account here and protect your entire mailbox, contacts and calendars with quantum-resistant encryption.