A comprehensive DANE SMTP testing tool that validates SMTP servers using DANE TLSA records with full support for MX lookups, multi-IP testing, and signature algorithm selection.
Based on a shell function by Viktor Dukhovni on the DANE-users mailing list (source: https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/thread/NKDBQABSTAAWLTHSZKC7P3HALF7VE5QY)
- Automatic MX record lookup and testing
- Tests all IPv4 and IPv6 addresses for each MX host
- DANE TLSA record validation with OpenSSL
- Manual IP address override
- RSA/ECDSA signature algorithm selection
- Pass-through for additional OpenSSL options
danesmtp [-a addr] [-s rsa|ecdsa|<sigalg>] domain [openssl opts...]-a addr— Force testing of a specific IP address (bypasses MX lookup)-s rsa— Use RSA signature algorithms (rsa_pss_rsae_sha256:rsa_pkcs1_sha256)-s ecdsa— Use ECDSA signature algorithm (ecdsa_secp256r1_sha256)-s <custom>— Specify custom OpenSSL sigalgs string
Test all MX hosts for a domain:
danesmtp domain.tldForce testing a specific IP:
danesmtp -a aaaa:bbb::1 domain.tldTest with ECDSA signature preference:
danesmtp -s ecdsa domain.tldCombine options:
danesmtp -a aa.bb.ccc.dd -s rsa domain.tld- bash
- openssl (with DANE support)
- dig (from bind-tools/dnsutils)
- Looks up MX records for the domain (unless
-ais specified) - Resolves all A/AAAA records for each MX host
- Fetches TLSA records from
_25._tcp.<mx-host> - Tests SMTP STARTTLS with DANE validation via OpenSSL
- Reports success or failure for each IP address
TBD.