Update 10/28/2024: For the latest information on this subject, please see our newer blog post: Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online.
The Public Preview for Inbound SMTP DANE with DNSSEC is currently rolling out. Instructions for implementing it in your tenant are at How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications.
SMTP DANE and DNSSEC
SMTP DANE uses a TLS Authentication (TLSA) DNS record to verify the identity of a destination mail server and provides a secure connection between sending and receiving mail servers that is resistant to both TLS-downgrade attacks and adversary-in-the-middle attacks (a form of eavesdropping where the communication is monitored or modified by a bad actor).
DNSSEC uses cryptographic signatures to ensure that the destination domain's DNS records are authentic and were not tampered with in transit.
These two standards work together to prevent spoofing, hijacking, and interception of email messages.
Inbound SMTP DANE with DNSSEC benefits
By using SMTP DANE with DNSSEC, you can:
- Better protect your email domain(s) from impersonation;
- Help ensure your messages are delivered to the intended recipients using encryption and without being altered or redirected; and
- Enhance your email reputation by demonstrating compliance with the latest security standards.
Improving Email Security
We released Outbound SMTP DANE with DNSSEC in 2022, and weβre excited to begin the Public Preview for Inbound SMTP DANE with DNSSEC. We are including Inbound SMTP DANE with DNSSEC in our enterprise and consumer email offerings at no charge as part of our efforts to improve email security for everyone. We urge other email providers and domain owners to adopt these standards and collectively raise the bar for email security and protect users from malicious actors.
We have already implemented inbound SMTP DANE with DNSSEC for several Outlook email domains, and we will complete the implementation for remaining Outlook domains (including Hotmail) by the end of 2024.
We are eager to see the impact of this feature on the email security landscape and we look forward to continuing to innovate and deliver an email offering with industry-leading security like SMTP DANE with DNSSEC.
Opt-in to the Public Preview Today
You can opt into the Public Preview today and start using inbound SMTP DANE with DNSSEC by following the enablement steps in this documentation. We welcome your feedback and suggestions for improving this feature, as well.
Email Security Roadmap
Our target dates for upcoming roadmap items are:
- October 2024 β General Availability of Inbound SMTP DANE with DNSSEC
- December 2024 β Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
- End of 2024
- Deploying Inbound SMTP DANE with DNSSEC for all Outlook domains
- Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
- February 2025 β Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain
Learn more about the provisioning change at Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow.
Learn more about .microsoft and its subdomains at Introducing cloud.microsoft: a unified domain for Microsoft 365 apps and services.
Feedback
We welcome your feedback and want to hear from you about your experience with Inbound SMTP DANE with DNSSEC. Please comment on this post if you have any feedback or concerns and we will reply or reach out to you directly as needed.
Microsoft 365 Messaging Team (formerly the Exchange Online Transport Team)
You Had Me at EHLO.