Microsoft announced today that inbound SMTP DANE with DNSSEC for Exchange Online, a new capability to boost email security and integrity, is now generally available.
The company announced in September 2023 a public preview that would roll out from March to July 2024. However, it was forced to delay it because of “necessary security investments” identified during the Private Preview stage, and the public preview started this July.
Redmond will provide this new capability to home and enterprise customers for free and says it has already been enabled for some Outlook domains.
“Inbound SMTP DANE with DNSSEC has already been implemented for several Outlook email domains, and implementation for the remaining Outlook and Hotmail domains for consumer email is expected to be completed by the end of 2024,” the Microsoft 365 Messaging Team said on Monday.
With this new capability now available to all tenants, Microsoft completes Exchange Online’s SMTP DANE with DNSSEC support since outbound SMTP DANE with DNSSEC has been supported since March 2022.
The Exchange Team also shared a rollout roadmap today, which reveals that Microsoft will deploy this new capability across all consumer Outlook and Hotmail domains by March 2025:
- December 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
- December 2024 – March 2025
- Deploying Inbound SMTP DANE with DNSSEC for all consumer Outlook and Hotmail domains (as an example – hotmail.nl)
- Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
- May 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain
As the Exchange team explained today, Domain Name System Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) for SMTP defend against downgrade and man-in-the-middle (MiTM) attacks.
The SMTP DANE security protocol verifies the authenticity of the certificates used to secure email communication and the identity of destination mail servers via a TLS Authentication (TLSA) DNS record. This helps block TLS downgrade and MiTM attacks (in which malicious actors alter or snoop on a target’s messages) by ensuring secure connections between sending and receiving servers.
DNSSEC DNS extensions also provide cryptographic verification of DNS records during transit, thus preventing spoofing, hijacking, and interception of email messages.
Once enabled, Inbound SMTP DANE with DNSSEC will protect Exchange Online email domains from impersonation and ensure that emails are sent to the intended recipients using encryption without being redirected or modified before they reach the intended recipient.
Microsoft provides more details on implementing Inbound SMTP DANE with DNSSEC for Exchange Online mail flow in this tech community post.