Microsoft has announced the public preview of Inbound SMTP DANE with DNSSEC for Exchange Online. This new capability integrates two key security standards: DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC).
SMTP DANE enhances the security of email communications by using TLS Authentication (TLSA) DNS records to verify the identity of destination mail servers. This ensures a secure connection between sending and receiving servers, making it resistant to TLS-downgrade and adversary-in-the-middle attacks. It protects against eavesdropping and data manipulation by verifying that emails are transmitted over an encrypted connection to the correct server.
DNSSEC, on the other hand, adds an additional layer of security by using cryptographic signatures to ensure that DNS records are authentic and have not been tampered with during transit. This combination of DANE and DNSSEC effectively prevents email spoofing, hijacking, and interception, enhancing overall email security.
The public preview is currently being rolled out, with implementation instructions available for those interested. This feature aims to provide multiple benefits:
- Enhanced Domain Protection: By implementing these standards, email domains are better protected from impersonation attempts.
- Secure Message Delivery: Ensures that messages are delivered to intended recipients using encryption, reducing the risk of alteration or redirection.
- Improved Email Reputation: Demonstrates compliance with the latest security standards, which can enhance the domain’s reputation.
Microsoft is not new to this arena; it introduced Outbound SMTP DANE with DNSSEC in 2022. Now, the company is extending these protections to inbound email traffic. This move is part of a broader effort to improve email security for all users, offering this feature at no additional charge.
The company has already made an implementation for several Outlook domains and plans to complete the rollout for all Outlook domains, including Hotmail, by the end of 2024. Additionally, Microsoft has outlined a roadmap with key dates:
- August 2024: Introduction of the MTA-STS report in the Exchange admin center alongside Inbound SMTP DANE with DNSSEC.
- October 2024: General availability of Inbound SMTP DANE with DNSSEC.
- End of 2024: Full deployment for all Outlook domains and transition to a DNSSEC-enabled infrastructure for newly created domains.
- February 2025: Outbound SMTP DANE becomes mandatory on a per-tenant/per-remote domain basis.
Enhancements that boost security without requiring tenant administrator involvement are always appreciated. With extensive testing and preparation, the rollout of inbound SMTP DANE with DNSSEC should proceed seamlessly. Should any issues arise, such as non-delivery reports from failed validations, remember it’s not your system at fault. Direct those concerns to the administrators managing those domains.
