The DANE fail list
DANE is a standard that allows TLS certificates to be bound to DNS names using DNSSEC. At present, DANE is used primarily in MTA-to-MTA SMTP. DANE is supported by multiple major MTAs, such as: Postfix, Exim, Cloudmark and Halon, with more on the way. A growing number of domains have DANE TLSA records for their MX hosts.
If domain is DNSSEC-signed, but its DNS servers fail to give valid answers in response to TLSA queries, email delivery to this domain will fail for senders using DANE. The most common problems are authoritative servers responding with incomplete or incorrect NSEC/NSEC3 records, expired signatures, or SOA records modified after signing. Recursive resolvers return SERVFAIL under these conditions.
This is a verified list of DNSSEC-signed domains, which either don't give valid TLSA responses, or respond with TLSA records that don't match their certificate chain, and therefore need to be excluded from DANE verification, in order to avoid email delivery outages.
See https://danefail.org/ for more information, or create a pull request for suggested updates.
Reach out before adding
Before adding a domain to the list, contact the domain in question (info@ etc, as well as postmaster@ and hostmaster@) and if possible the DNS service provider, possibly by using the email template below:
The domain XXX [hosted at YYY] ZZZ which prevents email delivery to this domain from email sending systems using DANE. We urge you to resolve this issue, but in the meantime we'd like to add your domain to a list of domains that DANE senders should bypass, so that email delivery doesn’t fail to your domain: https://danefail.org
Even if your domain added to the list, it’ll be automatically removed once the issues are resolved.
[example showing the problem]
where XXX is the domain, YYY is the DNS and/or email provider, ZZZ is a brief problem statement (such as "has broken DNSSEC" or "has nameservers that don't respond to TLSA queries") and the example includes a link to http://dnsviz.net/ for DNS failures or details of an SMTP session that fails to obtain a TLS certificate chain that matches the TLSA records.