Exchange Online Supports Inbound SMTP DANE with DNSSEC

Emails are a crucial part of daily communication, but the protocol used to send them, SMTP, isn’t very secure by default. SMTP relies on public DNS to find where to send emails, which can be spoofed or intercepted. To improve security, TLS Authentication (TLSA) is used with SMTP for securing emails. However, vulnerabilities like TLS-downgrade attacks or man-in-the-middle interceptions remain possible, compromising email security. To address these risks, Microsoft announces the public preview of Inbound SMTP DANE with DNSSEC for Exchange Online.

This builds upon the existing outbound SMTP DANE with DNSSEC functionality released in March 2022, offering even more robust email security. But how does it work, and why is it important? In this blog post, we’ll delve into Inbound SMTP DANE with DNSSEC, explaining how it enhances TLS security!

What is Inbound SMTP DANE with DNSSEC? It’s like a double layer of security for your emails.

It enhances the security of email communications by supporting two security standards: DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC). By adopting these standards, we can collectively raise the bar for email security, making it harder for bad actors to exploit vulnerabilities.

SMTP DANE: Exchange Online mail flow with SMTP DANE helps ensure that email communication between sending and receiving mail servers is secure. It encrypts TLS connections and verifies if the server’s certificate matches the expected TLSA records on the destination mail server.

DNSSEC: DNSSEC adds cryptographic signatures to DNS records to ensure the email contents are authentic and haven’t been tampered with during transit. This helps verify that the DNS information you’re getting is trustworthy.

This powerful combination protects against TLS-downgrade attacks, impersonation, message tampering, and malicious attacks.

By using SMTP DANE with DNSSEC, you can:

• Protect Your Email Domain: Prevents your email domain from being impersonated.
• Secure Delivery: Ensures your emails are delivered safely with encryption and without alterations.
• Boost Domain Reputation: Shows that your email service follows the latest security standards.

Before you begin, make sure you meet the following prerequisites:

1. Ensure the domain is added as an ‘Accepted Domain’ and its status is ‘Healthy’ in the Microsoft 365 Admin Center.
2. To receive full security benefits, enable DNSSEC for your domain.
3. You should be able to connect to Exchange Online PowerShell and have the necessary permissions to run the required cmdlets.
4. If the domain you want to secure with Inbound SMTP DANE with DNSSEC is used in any smarthost configurations or connectors, follow these steps:

• • Coordinate with your third-party provider.
  • Switch the hostname to your O365 initial domain tenant name (tenantname.onmicrosoft.com).widomain tenant name (tenantname.onmicrosoft.com).

Since Inbound SMTP DANE with DNSSEC is out for public preview, admins can enable them in Exchange Online environment.

Note: As of now, Microsoft recommends implementing this feature in a non-production environment and testing emails, as it may not function as expected during the public preview phase.

1. Update the TTL of existing MX record:

You need to change the TTL of your existing MX record to the lowest possible value. After making this change, wait for the previous TTL to expire. Because, if your MX record previously had a TTL of ‘3600 seconds’, you need to wait for 1 hour before proceeding.

2. Enable SMTP DANE with DNSSEC in Exchange Online:

Firstly, connect to the Exchange Online PowerShell. To enable DNSSEC in Exchange Online PowerShell, run the following command:

Make sure to replace <DomainName> with the name of your chosen domain. Copy the “DnssecMxValue” from the command output and add a new MX record at your DNS registrar with this value.

Note: If you use a third-party email gateway and need to direct inbound mail to Exchange Online, update the gateway’s settings in their admin portal to point to the new Exchange Online target host. Check if mail flows correctly using the Microsoft Remote Connectivity Analyzer, selecting “DNSSEC Validation” during testing.

Then, to enable SMTP DANE in Exchange Online PowerShell, run the following command:

Verify the TLSA record propagation using the Microsoft Remote Connectivity Analyzer, selecting “DANE Validation”.

For detailed instructions on setting up Inbound SMTP DANE with DNSSEC, refer to the Microsoft documentation.

Here’s what to expect in the coming months:

• July 2024: Inbound SMTP DANE with DNSSEC for Exchange Online is out for Public Preview. It is for enterprise and commercial environments without additional cost.
• August 2024: Track Inbound and Outbound SMTP DANE with DNSSEC and MTA-STS reports directly within the Exchange admin center.
• October 2024: General Availability of Inbound SMTP DANE with DNSSEC.
• End of 2024:

• • Complete deployment of this feature for all Outlook domains (including Hotmail).
  • Transitioning the setup of mail records for all newly created Accepted Domains to use DNSSEC-enabled infrastructure under *.mx.microsoft.

• February 2025: Mandatory Outbound SMTP DANE, set per tenant/per remote domain.

Please share your experiences and feedback for Inbound SMTP DANE with DNSSEC in the comments section. Let’s work together to raise the bar for email security!