From 93bc52998fa09676b8c85eaa0960453175a23aa2 Mon Sep 17 00:00:00 2001
From: Dennis Baaten <dennis@baaten.com>
Date: Wed, 28 Aug 2019 14:24:13 +0200
Subject: [PATCH] Update DANE-for-SMTP-how-to.md

---
 DANE-for-SMTP-how-to.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/DANE-for-SMTP-how-to.md b/DANE-for-SMTP-how-to.md
index 3d2a46b..fcc465b 100644
--- a/DANE-for-SMTP-how-to.md
+++ b/DANE-for-SMTP-how-to.md
@@ -83,7 +83,18 @@ The risks of SMTP with opportunistic TLS can be mitigated by using DANE:
 In short: DANE allows sending mail servers to unconditionally require STARTTLS with a matching certificate chain. Otherwise, the sending mail server aborts the connection and tries another server or defers the message. Receiving servers with published TLSA records, are therefore no longer vulnerable to the afore mentioned man in the middle attacks.
 
 # DANE TLSA record example
-![]()
+![](DANE-example-TLSA-record.png)
+
+**Usage**: says something about the type of certificate that is used for this TLSA record. 
+2: intermediate / root certificate
+3: end-entity certificaat
+**Selector**: this is about the scope of the fingerprint regarding this TLSA record. 
+0: fingerprint with regard to the full certificate 
+1: fingerprint with regard to the public key
+**Matching type**: information about the hashing mechanism used for fingeeprint regarding this TLSA record.
+0: no hasing, full information
+1: SHA2-256 hash
+2: SHA2-512 hash
 
 # Advantages of DANE explained by illustrations
 ## Mail delivery: TLS without DANE