DNS Records

A Record

AAAA Record

AFSDB Record

CAA Record

CNAME Record

DNSSEC

DNSKEY Record

DS Record

HINFO Record

HTTPS Record

KEY Record

LOC Record

MX Record

NAPTR Record

NS Record

OPENPGPKEY Record

PTR Record

RP Record

SMIMEA Record

SOA Record

SMIMEA Record

SRV Record

SVCB Record

TLSA Record

TXT Record

URI Record

What is an SMIMEA record?

An SMIMEA record is a DNS record type used to associate an S/MIME certificate with an email address via the Domain Name System. It allows mail clients to automatically discover and retrieve a user's S/MIME certificate by looking up their email address in DNS, enabling encrypted and digitally signed email without requiring manual certificate exchange or a separate directory lookup. SMIMEA is part of the DANE (DNS-Based Authentication of Named Entities) family of record types and is defined in RFC 8162.

SMIMEA record format

A typical SMIMEA record looks like the following in standard BIND format:

$ORIGIN example.com.
c93f1e400f26708f98cb19d936620da35eec8f72e57f9eec01c1afd6._smimecert 3600 IN SMIMEA 3 0 1 ab3f4bc8d1e6a7d09c5e1234f874abc9d35e...

An anatomy of the SMIMEA Record looks like the below:

Host Label	TTL	Record Class	Record Type	Certificate Usage	Selector	Matching Type	Certificate Association Data
c93f1e400f26708f98cb19d936620da35eec8f72e57f9eec01c1afd6._smimecert.example.com.	3600	IN	SMIMEA	3	0	1	ab3f4bc8d1e6a7d09c5e1234f874abc9d35e...

Host Label
The host label for an SMIMEA record is composed of two parts separated by a period (.). These parts are the SHA-256 Hash and the Underscore Label in the format of hash._smimecert.

• SHA-256 Hash is the left-most 28 octets (56 hexadecimal characters) of the SHA-256 hash of the local part (username) of the email address, encoded in lowercase hexadecimal. This scopes the certificate lookup to a specific user at the domain.
• Underscore Label is the fixed string _smimecert, which identifies this as an SMIMEA DNS record and prevents collisions with other DNS labels.

TTL
The time-to-live in seconds. It specifies how long a resolver is supposed to cache or remember the DNS query before the query expires and a new one needs to be done.

Record Class
Mainly 3 classes of DNS records exist:

• IN (Internet) – default and generally what internet uses.
• CH (Chaosnet) – used for querying DNS server versions.
• HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.

Record Type
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of an SMIMEA record, the record type is SMIMEA.

Certificate Usage
An integer value that specifies how the certificate or public key in this record should be used and validated. The four defined values are:

• 0 – PKIX-TA: The record specifies a trust anchor that must appear in the certification path of the certificate being validated, and the certificate must also pass PKIX validation.
• 1 – PKIX-EE: The record specifies the end-entity certificate itself, which must also pass PKIX validation.
• 2 – DANE-TA: The record specifies a trust anchor for the certification path. PKIX validation is not required.
• 3 – DANE-EE: The record specifies the end-entity certificate or public key directly. PKIX validation is not required. This is the most commonly used value for SMIMEA.

Selector
An integer value that specifies which part of the certificate is used to match against the Certificate Association Data field. The two defined values are:

• 0 – Full certificate: The entire DER-encoded certificate is used.
• 1 – SubjectPublicKeyInfo: Only the DER-encoded public key portion of the certificate is used.

Matching Type
An integer value that specifies how the Certificate Association Data field is compared to the selected portion of the certificate. The three defined values are:

• 0 – Exact match: The Certificate Association Data is the full selected content with no hashing applied.
• 1 – SHA-256: The Certificate Association Data is the SHA-256 hash of the selected content.
• 2 – SHA-512: The Certificate Association Data is the SHA-512 hash of the selected content.

Certificate Association Data
A hexadecimal string containing the certificate data as determined by the Selector and Matching Type fields. Depending on the Matching Type, this is either the full DER-encoded certificate or public key, or a SHA-256 or SHA-512 hash of that content. This data is what a mail client compares against the certificate presented by the email sender to validate its authenticity.

How to add an SMIMEA record?

For instructions on how to add an SMIMEA record with us, you may refer to the tutorial here.

SMIMEA record glossary

S/MIME (Secure/Multipurpose Internet Mail Extensions)
S/MIME is a widely used standard for encrypting and digitally signing email messages. It relies on X.509 certificates issued by certificate authorities to bind a public key to an email address, enabling confidential and authenticated email communication.

DANE (DNS-Based Authentication of Named Entities)
DANE is a protocol that allows the binding of cryptographic keys and certificates to domain names using DNSSEC. SMIMEA is part of the DANE family, alongside TLSA and OPENPGPKEY, and enables secure certificate discovery through DNS without relying solely on traditional certificate authorities.

DNSSEC
Domain Name System Security Extensions - a suite of extensions that add security to the DNS protocol by enabling DNS responses to be validated cryptographically. DNSSEC is strongly recommended when publishing SMIMEA records to protect against spoofing or tampering of certificate data in transit.

X.509
X.509 is the standard format for public key certificates used in S/MIME. An X.509 certificate binds a public key to an identity (such as an email address) and is signed by a certificate authority to assert its authenticity.

SHA-256 / SHA-512
Secure Hash Algorithm variants producing 256-bit and 512-bit digests respectively. In an SMIMEA record, SHA-256 is used to derive the owner label from the email local part, and either SHA-256 or SHA-512 may be used as the Matching Type to hash the certificate or public key data stored in the record.

DER (Distinguished Encoding Rules)
DER is a binary encoding format for ASN.1 data structures, commonly used to encode X.509 certificates. When Matching Type 0 (exact match) is used in an SMIMEA record, the certificate or public key must be provided in DER-encoded form.

BIND
Berkeley Internet Name Daemon - is the most commonly used DNS software on the Internet and Dynu observes BIND format.