DNSSEC adds two important features to the DNS protocol:
->Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated.
->Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key.
A zone transfer that is from an external IP address is used as part of an attackers reconnaissance phase. Usually, a zone transfer is a normal operation between primary and secondary DNS servers in order to synchronise the records for a domain. This is typically not something you want to be externally accessible.
SPF checks whether an email really originates from your email servers. This prevents others from sending malicious emails in name of your organization.
domain.com TXT record "v=spf1 include:_spf.protonmail.ch mx -all"
DKIM checks the identity of the sender and the integrity of the message. This prevents others from spoofing or manipulating your emails.
domain.com TXT record "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4TWhAkE9cQBB7g2C6jGb...."
DMARC tells your email server what to do when it receives an email that fails the SPF and DKIM checks and reports abuse to your organization.
_dmarc.domain.com TXT record "v=DMARC1; p=reject; rua=mailto:abuse@domain.com; ruf=mailto:abuse@domain.com; sp=none; fo=1; aspf=s; adkim=s; ri=86400"
STARTTLS establishes a secure connection between email servers. DANE authenticates the receiving email server and guarantees the use of a secure connection with STARTTLS. DANE relies on DNSSEC for trust in the DNS entries.
DANE checker (SMTP)
DANE checker2 (SMTP, IMAP, POP3)