What's the difference between SMIMEA and OPENPGPKEY?

SMIMEA uses S/MIME (X.509) certificates with PKI/CA infrastructure, common in enterprise environments like Outlook. OPENPGPKEY uses OpenPGP format with Web of Trust, common with GnuPG and Thunderbird.

How is the SMIMEA record name constructed?

The record name uses SHA-256 hash of the email local part (first 56 hex characters) followed by ._smimecert.domain. This provides privacy for email addresses while enabling certificate discovery.

What SMIMEA configuration is most common?

DANE-EE (usage 3) with public key selector (1) and SHA-256 matching (1) is most common. This configuration (3 1 1) allows certificate renewal without changing DNS records.

SMIMEA Record Security

Q: What is an SMIMEA record?

An SMIMEA record (RFC 8162) publishes S/MIME certificates in DNS for email encryption and signing. It's the S/MIME equivalent of TLSA records, enabling automatic discovery of certificates for encrypted enterprise email.

The SMIMEA record publishes S/MIME certificates in DNS for email encryption and signing. Defined in RFC 8162, it's the S/MIME equivalent of TLSA records, enabling automatic discovery of certificates for encrypted email.

Look Up SMIMEA Records

Check SMIMEA records for any domain using our free DNS lookup tool.

Look Up SMIMEA Records →

What Is an SMIMEA Record?

SMIMEA (S/MIME Certificate Association) records store S/MIME certificate information in DNS, allowing email clients to:

Discover certificates — Find S/MIME certs for any email address
Encrypt email — Send encrypted messages automatically
Verify signatures — Validate signed messages
Bypass CA dependency — Trust certificates via DNSSEC

SMIMEA Record Format

Example SMIMEA Record

<hash>._smimecert.example.com.    IN    SMIMEA    3 0 1 abc123...sha256...

Similar to TLSA: Certificate Usage, Selector, Matching Type, Certificate Data.

SMIMEA Record Fields

Field	Description	Values
Certificate Usage	How to use certificate	0-3
Selector	What part to match	0 (full cert), 1 (public key)
Matching Type	How to match	0 (exact), 1 (SHA-256), 2 (SHA-512)
Certificate Data	Certificate or hash	Hex-encoded data

Certificate Usage Values

Value	Name	Description
0	PKIX-TA	CA constraint (must chain to specified CA)
1	PKIX-EE	Service certificate constraint
2	DANE-TA	Trust anchor assertion
3	DANE-EE	Domain-issued certificate

Record Name Construction

For email address [email protected]:

Take the local part: user
Compute SHA-256 hash
Encode first 28 bytes as hex (56 characters)
Append ._smimecert.example.com.

# Example record name
29a5d...5c2f._smimecert.example.com.    SMIMEA    3 0 1 ...

SMIMEA vs OPENPGPKEY

Aspect	SMIMEA	OPENPGPKEY
Format	S/MIME (X.509)	OpenPGP
Infrastructure	PKI/CA-based	Web of Trust
Client support	Outlook, Apple Mail	GnuPG, Thunderbird
Enterprise use	More common	Less common

Common SMIMEA Configurations

Domain-Issued Certificate (DANE-EE)

; Most common: full certificate via DANE
29a5d...5c2f._smimecert.example.com.    SMIMEA    3 0 1 <sha256-of-cert>

Public Key Only

; Match public key (survives cert renewal)
29a5d...5c2f._smimecert.example.com.    SMIMEA    3 1 1 <sha256-of-pubkey>

Full Certificate

; Include entire certificate
29a5d...5c2f._smimecert.example.com.    SMIMEA    3 0 0 <full-cert-hex>

Setting Up SMIMEA

1. Generate Hash of Local Part

echo -n "user" | sha256sum | cut -c1-56

2. Generate Certificate Hash

# SHA-256 of DER-encoded certificate
openssl x509 -in cert.pem -outform DER | sha256sum

3. Create DNS Record

29a5d...5c2f._smimecert.example.com.    3600    IN    SMIMEA    3 0 1 abc123...

SMIMEA Best Practices

Use DNSSEC — Essential for security; unsigned records provide no assurance.
Use DANE-EE (3) — Simplest and most common for end-user certificates.
Match public key (selector 1) — Allows certificate renewal without DNS changes.
Use SHA-256 (matching type 1) — Smaller records than full certificate.
Update on cert changes — Keep records synchronized with certificates.

Troubleshooting SMIMEA

Common issues and solutions:

Certificate not found — Verify hash calculation matches exactly.
Hash mismatch — Ensure DER encoding when computing certificate hash.
DNSSEC validation fails — Check zone signing is valid.
Client doesn't use SMIMEA — Not all email clients support DANE/SMIMEA.

Check Your SMIMEA Records

Use our DNS Record Finder to look up SMIMEA records for any domain.