Blog Post

Exchange Team Blog
3 MIN READ

Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online

The_Exchange_Team's avatar
Jul 17, 2024

Update 10/28/2024: For the latest information on this subject, please see our newer blog post: Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online.

We are thrilled to announce the Public Preview of Inbound SMTP DANE with DNSSEC, a new capability of Exchange Online that enhances the security of email communications by supporting two security standards: DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC).

The Public Preview for Inbound SMTP DANE with DNSSEC is currently rolling out. Instructions for implementing it in your tenant are at How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications.

SMTP DANE and DNSSEC

SMTP DANE uses a TLS Authentication (TLSA) DNS record to verify the identity of a destination mail server and provides a secure connection between sending and receiving mail servers that is resistant to both TLS-downgrade attacks and adversary-in-the-middle attacks (a form of eavesdropping where the communication is monitored or modified by a bad actor).

DNSSEC uses cryptographic signatures to ensure that the destination domain's DNS records are authentic and were not tampered with in transit.

These two standards work together to prevent spoofing, hijacking, and interception of email messages.

Inbound SMTP DANE with DNSSEC benefits

By using SMTP DANE with DNSSEC, you can:

  • Better protect your email domain(s) from impersonation;
  • Help ensure your messages are delivered to the intended recipients using encryption and without being altered or redirected; and
  • Enhance your email reputation by demonstrating compliance with the latest security standards.

Improving Email Security

We released Outbound SMTP DANE with DNSSEC in 2022, and we’re excited to begin the Public Preview for Inbound SMTP DANE with DNSSEC. We are including Inbound SMTP DANE with DNSSEC in our enterprise and consumer email offerings at no charge as part of our efforts to improve email security for everyone. We urge other email providers and domain owners to adopt these standards and collectively raise the bar for email security and protect users from malicious actors.

We have already implemented inbound SMTP DANE with DNSSEC for several Outlook email domains, and we will complete the implementation for remaining Outlook domains (including Hotmail) by the end of 2024.

We are eager to see the impact of this feature on the email security landscape and we look forward to continuing to innovate and deliver an email offering with industry-leading security like SMTP DANE with DNSSEC.

Opt-in to the Public Preview Today

You can opt into the Public Preview today and start using inbound SMTP DANE with DNSSEC by following the enablement steps in this documentation. We welcome your feedback and suggestions for improving this feature, as well.

Email Security Roadmap

Our target dates for upcoming roadmap items are:

  • October 2024 – General Availability of Inbound SMTP DANE with DNSSEC
  • December 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
  • End of 2024
    • Deploying Inbound SMTP DANE with DNSSEC for all Outlook domains
    • Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
  • February 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain

Learn more about the provisioning change at Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow.

Learn more about .microsoft and its subdomains at Introducing cloud.microsoft: a unified domain for Microsoft 365 apps and services.

Feedback

We welcome your feedback and want to hear from you about your experience with Inbound SMTP DANE with DNSSEC. Please comment on this post if you have any feedback or concerns and we will reply or reach out to you directly as needed.

Microsoft 365 Messaging Team (formerly the Exchange Online Transport Team)

Updated Oct 28, 2024
Version 5.0