Microsoft is committed to providing world-class email security solutions and the support for the latest Internet standards in order to provide advanced email protection for our customers. Today we are announcing that Exchange Online will be adding support for two new Internet standards specific to SMTP traffic.
These standards are DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based Authentication of Named Entities).
The SMTP protocol was designed a long time ago, when message delivery was considered more important than security. Over time, as security and privacy became increasingly more important, several new standards emerged and one of those is RFC 3207: “SMTP Service Extension for Secure SMTP over Transport Layer Security (TLS)”. This is often referred to as Opportunistic TLS, or STARTTLS. Opportunistic TLS provides encryption for SMTP connections and even though it’s a great improvement over plain SMTP, it still has a significant number of vulnerabilities.
One such vulnerability is the downgrade attack, which is a form of man-in-the-middle-attack (MITM). This happens when an attacker is able to strip the STARTTLS verb from the target SMTP gateway during the initial in-the-clear communication, often resulting in the sending SMTP server simply deciding to continue sending the message in clear text rather than stopping transmission.
Another limitation that exists with Opportunistic TLS is the inability for the sending server to authenticate the identity of the receiving SMTP gateway. An attacker can spoof the receiving SMTP gateway’s DNS record and present an alternate MX record for a server that they own. Even if the connection is encrypted, the sending server will never know that email was diverted to the malicious server.
Microsoft has been working closely with partners through the industry association M3AAWG to solve such limitations throughout the email ecosystem. As a result, we have decided to build and add support for DNSSEC and DANE for SMTP to Exchange Online.This support will be specific to SMTP traffic between SMTP gateways. We will also be providing support for TLS reporting (TLS-RPT).
DANE for SMTP provides a more secure method for email transport. DANE uses the presence of DNS TLSA resource records to securely signal TLS support to ensure sending servers can successfully authenticate legitimate receiving email servers. This makes the secure connection resistant to downgrade and MITM attacks.
DNSSEC works by digitally signing records for DNS lookup using public key cryptography. This ensures that the received DNS records have not been tampered with and are authentic.
TLS-RPT enables diagnostic reporting to support monitoring and troubleshooting of TLS connectivity issues.
The support of the above standards, especially DNSSEC, will require investment and architecture changes to the Microsoft infrastructure - an investment we believe is necessary to enhance protection for our customers. As this will require significant work, we will be releasing DANE and DNSSEC for SMTP in two phases.
The first phase will include only outbound support (mail sent outbound from Exchange Online) and we aim to enable this by the end of the calendar year 2020. The second phase will add inbound support for Exchange Online and we plan to enable that by the end of 2021.For both of those phases, corresponding TLS-RPT support will be provided.
While we integrate these changes, we want to ensure our customers know that there are third party solutions available for Exchange Online. Customers have the option to run their own SMTP gateways supporting DNSSEC and DANE for SMTP and they can create Outbound and Inbound connectors to route the email messages to and from Exchange Online.
We are happy to announce support for DNSSEC and DANE for SMTP to strengthen Office 365 Exchange Online email security and provide advanced protection to our customers.