diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf
index 78ffcee1..ae54326d 100644
--- a/core/postfix/conf/main.cf
+++ b/core/postfix/conf/main.cf
@@ -59,7 +59,7 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
-smtp_tls_dane_insecure_mx_policy = dane
+smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %}
 smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 4fd84c07..7cf3c926 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -72,8 +72,12 @@ mail in following format: ``[HOST]:PORT``.
 ``RELAYUSER`` and ``RELAYPASSWORD`` can be used when authentication is needed.
 
 By default postfix uses "opportunistic TLS" for outbound mail. This can be changed
-by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is highly recommended
-if you are using a relayhost that supports TLS but discouraged otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into account and whether emails will be defered if the additional checks enforced by those policies fail.
+by setting ``OUTBOUND_TLS_LEVEL`` to ``encrypt`` or ``secure``. This setting is
+highly recommended if you are using a relayhost that supports TLS but discouraged
+otherwise. ``DEFER_ON_TLS_ERROR`` (default: True) controls whether incomplete
+policies (DANE without DNSSEC or "testing" MTA-STS policies) will be taken into
+account and whether emails will be defered if the additional checks enforced by
+those policies fail.
 
 Similarily by default nginx uses "opportunistic TLS" for inbound mail. This can be changed
 by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidden for
diff --git a/towncrier/newsfragments/1798.feature b/towncrier/newsfragments/1798.feature
index 1b63a85c..125b1767 100644
--- a/towncrier/newsfragments/1798.feature
+++ b/towncrier/newsfragments/1798.feature
@@ -1 +1 @@
-Implement MTA-STS (use published policies)
+Implement MTA-STS and DANE validation. Introduce DEFER_ON_TLS_ERROR (default: True) to harden or loosen the policy enforcement.