Exchange Online: Inbound SMTP DANE with DNSSEC available

Exchange Logo[German]Microsoft has generally released Inbound SMTP DANE with DNSSEC for Exchange Online, after it was already available as a preview in July 2024. The new Inbound SMTP DANE with DNSSEC function in Exchange Online is intended to increase the security of email communication by supporting two security standards.

Microsoft's announcement

I came across the topic via the following tweet. Microsoft has published the details on October 28, 2024 in the Techcommunity article Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online.

Inbound SMTP DANE with DNSSEC for Exchange Online

Microsoft is pleased to announce the general availability of Inbound SMTP DANE with DNSSEC. The new Exchange Online feature is designed to increase the security of email communication by supporting two security standards (DANE and DNSSEC).

DANE and DNSSEC, what are they?

DANE (DNS-based Authentication of Named Entities) is a network protocol that is used to secure data traffic. The protocol extends the widely used SSL/TLS transport encryption in such a way that the certificates used cannot be exchanged without being noticed, thus increasing security in the encrypted transport of emails and when accessing websites. The norms and standards were developed between 2011 and 2015.

DNSSEC stands for Domain Name System Security Extensions, a series of Internet standards that extend the Domain Name System (DNS) with security mechanisms to ensure the authenticity and integrity of the data. This enables a DNS participant to verify that the DNS zone data received is actually identical to that authorized by the zone creator. DNSSEC was developed as a means of preventing cache poisoning. It secures the transmission of resource records by means of digital signatures. No authentication of servers or clients takes place. DNSSEC does not provide for confidentiality, so DNS data is not encrypted.

Microsoft rolls out the new feature globally

The two new features are available immediately (and free of charge) for Exchange Online. SMTP DANE uses a TLS authentication DNS record (TLSA) to verify the identity of a destination mail server. The new feature provides a secure connection between the sending and receiving mail servers that is resistant to both TLS downgrade attacks and adversary-in-the-middle attacks.

DNSSEC uses cryptographic signatures to ensure that the DNS records of the target domain are authentic and have not been manipulated during transmission. These two standards are combined to prevent spoofing, hijacking and interception of email messages in Exchange Online.

Microsoft published Outbound SMTP DANE with DNSSEC in 2022. In 2024, they followed up with the public preview for Inbound SMTP DANE with DNSSEC and now with the general release. The Techcommunity article gives the following roadmap for the rollout:

  • December 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
  • December 2024 – March 2025
    • Deploying Inbound SMTP DANE with DNSSEC for all consumer Outlook and Hotmail domains (as an example –
    • Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *
  • May 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain

Instructions for implementation in a tenant can be found in the article How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications.

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *