Today, we are excited to announce the General Availability of Inbound SMTP DANE with DNSSEC! This new capability of Exchange Online enhances the security of email communications by supporting two security standards: DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC).
Instructions for implementing it in your tenant are at How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications. We are actively updating documentation to remove the Preview verbiage.
SMTP DANE and DNSSEC
SMTP DANE with DNSSEC provides a secure connection between sending and receiving mail servers that is resistant to both TLS-downgrade attacks and adversary-in-the-middle attacks (a form of eavesdropping where the communication is monitored or modified by a bad actor).
Here’s how it works:
- DNSSEC: Protects DNS queries from tampering by ensuring the integrity of DNS records using cryptographic signatures. It prevents attacks like DNS spoofing.
- DANE for SMTP: Uses DNSSEC to securely advertise TLS (Transport Layer Security) certificates for email servers via the TLS Authentication (TLSA) DNS record. It allows email servers to enforce encrypted communication (SMTP over TLS) and ensures that connections are only established with servers using valid certificates.
Security and Compliance benefits from SMTP DANE with DNSSEC
Using SMTP DANE with DNSSEC has many security and compliance benefits:
- Prevents downgrade attacks: Ensures email communication always uses TLS, preventing fallback to insecure connections.
- Stronger security: Validates server identities via trusted DNSSEC-backed records, making adversary-in-the-middle attacks harder.
- Integrity and confidentiality: Guarantees email data is encrypted, and the recipient server is authenticated, better protecting your email domain(s) from impersonation.
- Compliance: Use SMTP DANE with DNSSEC to enhance your email reputation by demonstrating compliance with industry security standards.
Expanding Email Security
Outbound SMTP DANE with DNSSEC was released in 2022, and general availability for Inbound SMTP DANE with DNSSEC has now happened. Inbound SMTP DANE with DNSSEC will continue to be included in enterprise and consumer email offerings at no charge, as part of our efforts to improve email security. Other email providers and domain owners are encouraged to adopt these standards to collectively enhance email security and protect users from malicious actors.
Inbound SMTP DANE with DNSSEC has already been implemented for several Outlook email domains, and implementation for the remaining Outlook and Hotmail domains for consumer email is expected to be completed by the end of 2024.
Exchange Online is looking forward to the impact that SMTP DANE with DNSSEC will have on the email security landscape and is deeply committed to delivering an email offering with industry-leading security such as SMTP DANE with DNSSEC.
Email Security Roadmap
Our target dates for upcoming roadmap items are:
- December 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
- December 2024 – March 2025
- Deploying Inbound SMTP DANE with DNSSEC for all consumer Outlook and Hotmail domains (as an example – hotmail.nl)
- Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
- May 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain
Learn more about the provisioning change at Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow.
Learn more about .microsoft and its subdomains at Introducing cloud.microsoft: a unified domain for Microsoft 365 apps and services.
Feedback
We welcome your feedback on Inbound SMTP DANE with DNSSEC, especially the enablement process. Please comment on this post if you have any feedback or concerns, and we will respond or contact you directly as needed.
Microsoft 365 Messaging Team
You Had Me at EHLO.