Some day I’ll get time to do an article on setting up a complete email server with the most advanced security and spam protection, but for now we’ll focus on DNS-based Authentication of Named Entities (DANE). Of all the methods of securing email, DANE is the most comprehensive and advanced to date.
In a nutshell, DANE is a way of to authenticate TLS client and server sessions (for both web and email) without the need of a Certificate Authority. DANE has become more popular in recent years due to security breaches of some Certificate Authorities, which allowed encryption certificates to be issued to non-domain owners for malevolent purposes. DANE provides an independent means of checking certs to make sure of their provenance, and therefore that the session is secure.