DANE Everywhere: Let's make the Internet a private place again.

Tutanota uses DANE (DNS-based Authentification of Named Entities). This technology binds the SSL key information to a domain name (DNS) and protects that binding with DNSSEC. DANE makes Man-in-the-Middle attacks practically impossible.


Update 2020-06-10: This post is oudated as there are no browser plugins for DANE anymore. Tutanota still supports DANE on the mail server. Check here for details.


With DANE the authentication becomes independent from Certificate Authorities and their possibly bogusly issued certificates. The SSL transport encryption secures all data between your browser and our German-based servers. Whenever you access your data on Tutanota, the connection is completely secured. In addition all encrypted emails are now also protected with DANE. Your ‘normal’ emails sent via SMTP are protected with DANE in case that the other email provider supports DANE as well. To make sure that your connection with our servers can be trusted, please install the DNSSEC/DANE/TLSA browser plug-ins. Read here how to install the DANE browser add-ons to secure your encrypted mailbox even better.

The reason why we as an email provider with a focus on security have to implement DANE is obvious: SSL makes man-in-the-middle attacks all too easy. Every owner of root certificates that is certificate authorities, secret services and big Internet providers can intervene between user and server to intercept confidential information or even manipulate it. These attacks are done more often than we think because most users do not notice being under attack. An investigation by The Spiegel together with Laura Poitras shows a shocking example of this method.

Tutanota is one of the first email providers worldwide to implement DANE. This is a consequent step for the German-based email service that enables its users to communicate with everybody with end-to-end encrypted emails, even if the other one does not use any encryption software. The encrypted email to an external recipient does not travel the Internet, but is being fetched directly from the Tutanota servers in Germany with the help of a password. Hackers call this “a major improvement over the dead letter box communication system”. This is an advantage also with DANE. Even though big email providers do not use DANE to date, all end-to-end encrypted emails from Tutanota are completely protected with DANE because they only travel between people’s browsers and the Tutanota servers. In addition to that, DANE secures the SSL connection upon login so that attackers cannot intercept login data.

We hope that mainstream email providers will implement DANE soon

With DANE we add another layer of protection because we want to push online security further. We hope that mainstream email providers will follow our example and implement this important technology. After ‘HTTPS Everywhere’, the next step should be ‘DANE Everywhere’! We are happy about Google’s stress on HTTPS as well as CloudFlare’s recent announcement of introducing DNSSEC in the next six months. These are important steps in the right direction. We believe that together we can make the Internet a better - a private - place again. DANE is a universal protocol that can be implemented by every site owner and every email provider. It offers the chance to make email communication much more secure.

How DANE works

DANE eliminates several weaknesses of SSL, thereby increasing the security of SSL protected emails. DANE stores the digital fingerprints of an SSL certificate in DNS, the phone book of the Internet. Mail servers and browsers can automatically verify the authenticity of the certificate before establishing a trusted SSL connection or sending an email via SSL transport encryption. This way DANE prohibits effectively against criminals or secret services pretending to be a particular web or mail server to gain access to login data or content with the help of bogus certificates.

In addition the DANE entries in the phone book of the Internet (DNS) are secured with the help of DNSSEC. This technology prevents others from changing entries within DNS and substituting any digital fingerprints of SSL certificates. Every visitor of tutanota.com and mail.tutanota.com can easily check the authenticity of our certificate:

DANE Screenshot

DANE plugin lock

DANE already works in all common browsers through Add-ons. Find out how to install these Add-ons here. Even though it will take some more time until DANE will become widely used, we want to make a start. Our users are very affine to security issues and many will install the Add-ons. It is nice to know that the transportation of data between the user and the Tutanota server now is better secured. This is a perfect addition to our easy-to-use end-to-end encryption. With Tutanota you can encrypt every email to every friend with a tip of your finger. Also we are working hard on the development of mobile apps to make email encryption on mobile devices more convenient. However you can already use the webapp on your mobile devices.

If you think more providers should offer DANE, tell yours. Or simply use Tutanota. :)

Tutanota is open source. Check out our Git repository!