diff --git a/FAQ.md b/FAQ.md index 853322ca4a..3f2a330e95 100644 --- a/FAQ.md +++ b/FAQ.md @@ -5681,7 +5681,7 @@ Please see [this Wikipedia article](https://en.wikipedia.org/wiki/Domain_Name_Sy Please see [this article](https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md) about what DANE is. Alternatively, see [this Wikipedia article](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities). -You can use [this tool](https://ssl-tools.net/tlsa-generator) to generate TLSA DNS records for DANE. +You can use [this tool](https://ssl-tools.net/tlsa-generator) to generate TLSA DNS records for DANE (select either PKIX-EE or DANE-EE). You can enable enforcing DNSSEC and/or DANA in the (advanced) account and identity settings (since version 1.2149). diff --git a/index.html b/index.html index e3e65a8185..58db24be34 100644 --- a/index.html +++ b/index.html @@ -2778,7 +2778,7 @@ adb install /path/to/FairEmail-xxx.apk

(202) What is DNSSEC and what is DANE?

Please see this Wikipedia article about what DNSSEC is.

Please see this article about what DANE is. Alternatively, see this Wikipedia article.

-

You can use this tool to generate TLSA DNS records for DANE.

+

You can use this tool to generate TLSA DNS records for DANE (select either PKIX-EE or DANE-EE).

You can enable enforcing DNSSEC and/or DANA in the (advanced) account and identity settings (since version 1.2149).

Note that only some email providers support DANE and that only a limited number of DNS servers support DNSSEC (January 2024: ~30%), which is required for DANE. Most private DNS providers support DNSSEC, though. You can configure private DNS in the Android network settings. To be sure that private DNS is being used, better configure a host name like dns.google, 1dot1dot1dot1.cloudflare-dns.com or dns.quad9.net. An alternative is using Certificate Transparency, see the previous FAQ.

Email providers known to support DANE: