Microsoft Boosts Email Security with General Availability of Inbound SMTP DANE with DNSSEC
Microsoft announced today that the highly anticipated feature, Inbound SMTP DANE with DNSSEC for Exchange Online, is now generally available. This powerful new capability significantly enhances email security and integrity, protecting users against sophisticated attacks.
Back in September 2023, Microsoft introduced a public preview of inbound SMTP DANE with DNSSEC, initially planned to roll out from March to July 2024. However, additional security measures identified during the Private Preview stage necessitated a delay. The public preview finally commenced in July. Now, Microsoft is providing this vital security enhancement at no additional cost to home and enterprise customers.
“Inbound SMTP DANE with DNSSEC has already been implemented for several Outlook email domains, and implementation for the remaining Outlook and Hotmail domains for consumer email is expected to be completed by the end of 2024,” stated the Microsoft 365 Messaging Team.
Completing Exchange Online’s SMTP DANE Suite
With inbound SMTP DANE with DNSSEC now live, Microsoft completes Exchange Online’s SMTP DANE with DNSSEC support, building on the outbound functionality introduced in March 2022. According to Microsoft, this ensures comprehensive protection for email communications entering and leaving Exchange Online.
Rollout Roadmap: Bringing Enhanced Security to All Consumers
Microsoft shared a detailed roadmap outlining the phased rollout strategy:
- December 2024: Inbound SMTP DANE with DNSSEC and MTA-STS report available in the Exchange admin center.
- December 2024 – March 2025: Deploy Inbound SMTP DANE with DNSSEC for all consumer Outlook and Hotmail domains (e.g. hotmail.nl)
- May 2025: Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain.
- Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft.
Understanding DNSSEC and DANE: How They Shield Your Emails from Threats
SMTP DANE (DNS-based Authentication of Named Entities) operates in conjunction with DNSSEC (Domain Name System Security Extensions) to provide a robust defense against email vulnerabilities. Here’s how it works:
• **SMTP DANE:** Authenticates email sending servers through TLS Authentication records (TLSA) placed in DNS. This validation ensures that emails originate from legitimate sources, preventing unauthorized impersonation.
• **DNSSEC:** Protects DNS records during transmission by adding cryptographic signatures. It prevents DNS spoofing and hijacking, ensuring message integrity.
Together, DNSSEC and SMTP DANE safeguard email communication:
* **Block TLS Downgrade Attacks:** Prevents malicious actors from forcing insecure email connections.
* **Prevent Man-in-the-Middle Attacks:** Stops attackers from intercepting and modifying sensitive email messages.
Once enabled, inbound SMTP DANE with DNSSEC for Exchange Online ensures message authenticity, protects against tampering, and guarantees secure email delivery, providing users peace of mind.