DNS SMIMEA Records Explained
DNS SMIMEA records associate S/MIME certificates with email addresses through the Domain Name System. They enable email clients to automatically discover and verify S/MIME certificates for encrypting and signing emails, improving the security and usability of email encryption.
What is an SMIMEA record?
An SMIMEA record has the same structure as a TLSA record, containing certificate usage, selector, matching type, and certificate association data fields. However, instead of being used for TLS server authentication, SMIMEA records bind S/MIME certificates to email addresses.
Defined in RFC 8162, SMIMEA records are published at a specific DNS name derived from the email address. For example, the SMIMEA record for user@example.com would be published at a name based on a hash of "user" under the _smimecert.example.com domain.
How do SMIMEA records work?
When an email client wants to send an encrypted email to a recipient, it queries DNS for the SMIMEA record associated with the recipient's email address. If found, the client uses the certificate data in the record to encrypt the message or verify the sender's signature.
The certificate usage field determines how the certificate should be validated: it can specify a CA constraint, a service certificate constraint, a trust anchor assertion, or a domain-issued certificate. The selector field indicates whether the full certificate or just the public key is being matched, and the matching type specifies whether the data is an exact match, a SHA-256 hash, or a SHA-512 hash.
Like TLSA records, SMIMEA records require DNSSEC to ensure the authenticity of the certificate data. Without DNSSEC, an attacker could forge SMIMEA records and substitute their own certificates, compromising the security of encrypted emails.
Example
Here's what an SMIMEA record looks like: