A TLSA lookup asks DNS for a TLS certificate association. Use it when you need to confirm DANE, SMTP TLSA checks, and certificate binding to DNSSEC.

Run a TLSA lookup

dig _443._tcp.example.com TLSA

In DigLookup.com, enter the name, choose the record type, and read the answer section. The answer is the value DNS is currently publishing through public resolvers.

Example answer

_443._tcp.example.com.    300    IN    TLSA    3 1 1 ABCDEF...

What to check

  • The name is exactly right. A lookup for the root domain is different from a lookup for a subdomain.
  • The TTL is reasonable for the stage of the change. Short TTLs help migrations; long TTLs can preserve old answers.
  • The returned value matches the source of truth from the hosting provider, email provider, certificate authority, or DNS platform.
  • The answer is visible from more than one resolver if the change is meant to be public.

Common mistakes

  • Checking the wrong record type and assuming DNS is broken when only that type is absent.
  • Forgetting that DNS dashboards show intended configuration, while dig shows the published answer.
  • Expecting a DNS change to appear everywhere before old resolver caches have expired.