SMIMEA Record Security
The SMIMEA record publishes S/MIME certificates in DNS for email encryption and signing. Defined in RFC 8162, it's the S/MIME equivalent of TLSA records, enabling automatic discovery of certificates for encrypted email.
Look Up SMIMEA Records
Check SMIMEA records for any domain using our free DNS lookup tool.
Look Up SMIMEA Records →What Is an SMIMEA Record?
SMIMEA (S/MIME Certificate Association) records store S/MIME certificate information in DNS, allowing email clients to:
- Discover certificates — Find S/MIME certs for any email address
- Encrypt email — Send encrypted messages automatically
- Verify signatures — Validate signed messages
- Bypass CA dependency — Trust certificates via DNSSEC
SMIMEA Record Format
Example SMIMEA Record
<hash>._smimecert.example.com. IN SMIMEA 3 0 1 abc123...sha256...Similar to TLSA: Certificate Usage, Selector, Matching Type, Certificate Data.
SMIMEA Record Fields
| Field | Description | Values |
|---|---|---|
| Certificate Usage | How to use certificate | 0-3 |
| Selector | What part to match | 0 (full cert), 1 (public key) |
| Matching Type | How to match | 0 (exact), 1 (SHA-256), 2 (SHA-512) |
| Certificate Data | Certificate or hash | Hex-encoded data |
Certificate Usage Values
| Value | Name | Description |
|---|---|---|
| 0 | PKIX-TA | CA constraint (must chain to specified CA) |
| 1 | PKIX-EE | Service certificate constraint |
| 2 | DANE-TA | Trust anchor assertion |
| 3 | DANE-EE | Domain-issued certificate |
Record Name Construction
For email address [email protected]:
- Take the local part:
user - Compute SHA-256 hash
- Encode first 28 bytes as hex (56 characters)
- Append
._smimecert.example.com.
# Example record name
29a5d...5c2f._smimecert.example.com. SMIMEA 3 0 1 ...SMIMEA vs OPENPGPKEY
| Aspect | SMIMEA | OPENPGPKEY |
|---|---|---|
| Format | S/MIME (X.509) | OpenPGP |
| Infrastructure | PKI/CA-based | Web of Trust |
| Client support | Outlook, Apple Mail | GnuPG, Thunderbird |
| Enterprise use | More common | Less common |
Common SMIMEA Configurations
Domain-Issued Certificate (DANE-EE)
; Most common: full certificate via DANE
29a5d...5c2f._smimecert.example.com. SMIMEA 3 0 1 <sha256-of-cert>Public Key Only
; Match public key (survives cert renewal)
29a5d...5c2f._smimecert.example.com. SMIMEA 3 1 1 <sha256-of-pubkey>Full Certificate
; Include entire certificate
29a5d...5c2f._smimecert.example.com. SMIMEA 3 0 0 <full-cert-hex>Setting Up SMIMEA
1. Generate Hash of Local Part
echo -n "user" | sha256sum | cut -c1-562. Generate Certificate Hash
# SHA-256 of DER-encoded certificate
openssl x509 -in cert.pem -outform DER | sha256sum3. Create DNS Record
29a5d...5c2f._smimecert.example.com. 3600 IN SMIMEA 3 0 1 abc123...SMIMEA Best Practices
- Use DNSSEC — Essential for security; unsigned records provide no assurance.
- Use DANE-EE (3) — Simplest and most common for end-user certificates.
- Match public key (selector 1) — Allows certificate renewal without DNS changes.
- Use SHA-256 (matching type 1) — Smaller records than full certificate.
- Update on cert changes — Keep records synchronized with certificates.
Troubleshooting SMIMEA
Common issues and solutions:
- Certificate not found — Verify hash calculation matches exactly.
- Hash mismatch — Ensure DER encoding when computing certificate hash.
- DNSSEC validation fails — Check zone signing is valid.
- Client doesn't use SMIMEA — Not all email clients support DANE/SMIMEA.
Monitor Your S/MIME Configuration
DNS Explorer validates SMIMEA records, checks DNSSEC status, and tracks your email encryption certificates.
Start free DNS Explorer trial14-day full-feature trial
Check Your SMIMEA Records
Use our DNS Record Finder to look up SMIMEA records for any domain.
Look Up SMIMEA Records →Related Record Types
- OPENPGPKEY Record — OpenPGP keys in DNS
- TLSA Record — TLS certificate association
- MX Record — Email server routing
- DNSKEY Record — DNSSEC keys