Blog Post

Exchange Team Blog
3 MIN READ

Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online

The_Exchange_Team's avatar
Oct 28, 2024

Today, we are excited to announce the General Availability of Inbound SMTP DANE with DNSSEC! This new capability of Exchange Online enhances the security of email communications by supporting two security standards: DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC).

Instructions for implementing it in your tenant are at How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications. We are actively updating documentation to remove the Preview verbiage.

SMTP DANE and DNSSEC

SMTP DANE with DNSSEC provides a secure connection between sending and receiving mail servers that is resistant to both TLS-downgrade attacks and adversary-in-the-middle attacks (a form of eavesdropping where the communication is monitored or modified by a bad actor).

Here’s how it works:

  1. DNSSEC: Protects DNS queries from tampering by ensuring the integrity of DNS records using cryptographic signatures. It prevents attacks like DNS spoofing.
  2. DANE for SMTP: Uses DNSSEC to securely advertise TLS (Transport Layer Security) certificates for email servers via the TLS Authentication (TLSA) DNS record. It allows email servers to enforce encrypted communication (SMTP over TLS) and ensures that connections are only established with servers using valid certificates.

Security and Compliance benefits from SMTP DANE with DNSSEC

Using SMTP DANE with DNSSEC has many security and compliance benefits:

  • Prevents downgrade attacks: Ensures email communication always uses TLS, preventing fallback to insecure connections.
  • Stronger security: Validates server identities via trusted DNSSEC-backed records, making adversary-in-the-middle attacks harder.
  • Integrity and confidentiality: Guarantees email data is encrypted, and the recipient server is authenticated, better protecting your email domain(s) from impersonation.
  • Compliance: Use SMTP DANE with DNSSEC to enhance your email reputation by demonstrating compliance with industry security standards.

Expanding Email Security

Outbound SMTP DANE with DNSSEC was released in 2022, and general availability for Inbound SMTP DANE with DNSSEC has now happened. Inbound SMTP DANE with DNSSEC will continue to be included in enterprise and consumer email offerings at no charge, as part of our efforts to improve email security. Other email providers and domain owners are encouraged to adopt these standards to collectively enhance email security and protect users from malicious actors.

Inbound SMTP DANE with DNSSEC has already been implemented for several Outlook email domains, and implementation for the remaining Outlook and Hotmail domains for consumer email is expected to be completed by the end of 2024.

Exchange Online is looking forward to the impact that SMTP DANE with DNSSEC will have on the email security landscape and is deeply committed to delivering an email offering with industry-leading security such as SMTP DANE with DNSSEC.

Email Security Roadmap

Our target dates for upcoming roadmap items are:

  • December 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
  • December 2024 – March 2025
    • Deploying Inbound SMTP DANE with DNSSEC for all consumer Outlook and Hotmail domains (as an example – hotmail.nl)
    • Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
  • May 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain

Learn more about the provisioning change at Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow.

Learn more about .microsoft and its subdomains at Introducing cloud.microsoft: a unified domain for Microsoft 365 apps and services.

Feedback

We welcome your feedback on Inbound SMTP DANE with DNSSEC, especially the enablement process. Please comment on this post if you have any feedback or concerns, and we will respond or contact you directly as needed.

Microsoft 365 Messaging Team

Published Oct 28, 2024
Version 1.0
  • Dave_Hanna's avatar
    Dave_Hanna
    Copper Contributor

    Fantastic new, its a shame we use Azure DNS for our primary domain. DNSSEC is still not General Avaliable, so this solution is a mute point unless we used another DNS provider.

  • Unable to follow these instructions as Microsoft hosts my DNS and doesn't allow me to edit my MX record.  I would imagine hosting DNS at Microsoft should have made this more automatic, not less possible.

  • This would have been wonderful a few years ago ; )  Better late than never, thank you

  • chrislehrPatriot yes, unfortunately Fully Delegated domains are one of the scenarios in the limitations section for the DANE documentation: https://learn.microsoft.com/en-us/purview/how-smtp-dane-works#limitations

     

    We are planning on addressing lack of support for fully delegated domains sometime next year, but I can't share a specific ETA at this time. If you need SMTP DANE with DNSSEC for that domain right now, you may want to investigating moving your domain to another provider that supports DNSSEC for your contoso.com.

  • PankajNTT's avatar
    PankajNTT
    Brass Contributor

    IanMcDonald my MX records pointing to Third party , can we still enable Inbound SMTP DANE with DNSSEC for Exchange Online and MTA-STS.

    • IanMcDonald's avatar
      IanMcDonald
      Icon for Microsoft rankMicrosoft

      UserA No typo's, but some clarity is needed.

       

      We support opportunistic outbound SMTP DANE with DNSSEC by default, this means that if there are no DANE records on the destination's side then we still send the email with opportunistic TLS. This is a much more permissive version of DANE to allow for smoother adoption and can be seen in the diagram at the step "One or more TLSA Record is returned": https://learn.microsoft.com/en-us/purview/how-smtp-dane-works?view=o365-worldwide#exchange-online-mail-flow-with-smtp-dane

       

      With Mandatory outbound SMTP DANE with DNSSEC, we will not send the email if a destination doesn't have a DANE record. This is a much stricter version of DANE, since only a couple million domains support DANE world-wide. So, it will only work for Remote Domains, with admins controlling the configuration per remote domain.