diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index da06111..35462a0 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -245,6 +245,11 @@ in
         # Avoid leakage of X-Original-To, X-Delivered-To headers between recipients
         lmtp_destination_recipient_limit = "1";
 
+        # Opportunistic DANE support
+        # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
+        smtp_dns_support_level = "dnssec";
+        smtp_tls_security_level = "dane";
+
         # sasl with dovecot
         smtpd_sasl_type = "dovecot";
         smtpd_sasl_path = "/run/dovecot2/auth";