A TLSA lookup asks DNS for a TLS certificate association. Use it when you need to confirm DANE, SMTP TLSA checks, and certificate binding to DNSSEC.
Run a TLSA lookup
dig _443._tcp.example.com TLSAIn DigLookup.com, enter the name, choose the record type, and read the answer section. The answer is the value DNS is currently publishing through public resolvers.
Example answer
_443._tcp.example.com. 300 IN TLSA 3 1 1 ABCDEF...What to check
- The name is exactly right. A lookup for the root domain is different from a lookup for a subdomain.
- The TTL is reasonable for the stage of the change. Short TTLs help migrations; long TTLs can preserve old answers.
- The returned value matches the source of truth from the hosting provider, email provider, certificate authority, or DNS platform.
- The answer is visible from more than one resolver if the change is meant to be public.
Common mistakes
- Checking the wrong record type and assuming DNS is broken when only that type is absent.
- Forgetting that DNS dashboards show intended configuration, while dig shows the published answer.
- Expecting a DNS change to appear everywhere before old resolver caches have expired.