ESC
⚙️

TLSA/DANE Lookup

Check for TLSA records — DNS-based certificate pinning (DANE).

GET /v1/tlsa 
curl "https://dns.toolkitapi.io/v1/tlsa?domain=mail.toolkitapi.io&port=25"

import httpx

resp = httpx.get(
    "https://dns.toolkitapi.io/v1/tlsa?domain=mail.toolkitapi.io&port=25",
)
print(resp.json())
const resp = await fetch("https://dns.toolkitapi.io/v1/tlsa?domain=mail.toolkitapi.io&port=25", {
});
const data = await resp.json();
console.log(data);
# See curl example
Response 200 OK 
{
  "domain": "mail.toolkitapi.io",
  "tlsa_name": "_25._tcp.mail.toolkitapi.io",
  "port": 25,
  "protocol": "tcp",
  "has_tlsa": true,
  "dane_capable": true,
  "smtp_dane": true,
  "records": [
    {"usage": 3, "usage_name": "DANE-EE", "selector": 1, "selector_name": "SPKI", "matching_type": 1, "matching_name": "SHA-256", "certificate_data": "a1b2c3d4e5f6..."}
  ],
  "error": null,
  "query_time_ms": 89.2
}

Try It Live

Live Demo

Description

Check for TLSA records — DNS-based certificate pinning (DANE).

How to Use

1

1. Pass the domain in the `domain` parameter. 2. Optionally set `port` (default: 443, use 25 for SMTP DANE). 3. Check `has_tlsa` and `dane_capable` for DANE support status.

About This Tool

TLSA/DANE Lookup checks for TLSA records that allow domain owners to pin TLS certificates via DNS, bypassing the CA trust model. DANE (DNS-Based Authentication of Named Entities) is especially important for SMTP email security. The tool also checks SMTP DANE (port 25).

Why Use This Tool

Frequently Asked Questions

Does DANE require DNSSEC?
Yes — DANE relies on DNSSEC to authenticate TLSA records. Without DNSSEC, TLSA records can't be trusted.
What's the difference between port 443 and port 25?
Port 443 is for HTTPS DANE, port 25 is for SMTP DANE (email server certificate pinning).

Start using TLSA/DANE Lookup now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs