Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online

Today we are excited to announce the general availability of Inbound SMTP DANE with DNSSEC! This new feature in Exchange Online enhances the security of email communications by supporting two security standards: DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC).

Here are instructions for implementation in your tenant: How SMTP DNS-Based Named Entity Authentication (DANE) Secures Email Communications. We are actively updating our documentation to remove preview representations.

SMTP DANE with DNSSEC provides secure connections between mail servers that are resistant to both TLS downgrade attacks and man-in-the-middle attacks (a form of eavesdropping in which malicious actors monitor or modify communications).

Here’s how it works:

1. DNSSEC: Protects DNS queries from tampering by using cryptographic signatures to ensure the integrity of DNS records. Prevents attacks such as DNS spoofing.
2. DANE for SMTP: Use DNSSEC to securely advertise Transport Layer Security (TLS) certificates for your email servers through TLS Authentication (TLSA) DNS records. This allows email servers to enforce encrypted communication (SMTP over TLS) and ensure that connections are only established with servers that use valid certificates.

Using SMTP DANE with DNSSEC has many security and compliance benefits, including:

• Prevent downgrade attacks: Email communications always use TLS to prevent fallback to insecure connections.
• Increased security: Verifies server identity through trusted DNSSEC-enabled records, making man-in-the-middle attacks more difficult.
• Integrity and Confidentiality: Better protects your email domain from impersonation by ensuring that email data is encrypted and recipient servers are authenticated.
• Compliance: Using SMTP DANE with DNSSEC helps you improve your email reputation by demonstrating compliance with industry security standards.

Outbound SMTP DANE with DNSSEC was released in 2022, and Inbound SMTP DANE with DNSSEC is now generally available. Inbound SMTP DANE with DNSSEC will continue to be included free of charge in our business and consumer email products in an effort to improve email security. We encourage other email providers and domain owners to adopt these standards to comprehensively enhance email security and protect users from malicious actors.

Inbound SMTP DANE with DNSSEC has already been implemented for several Outlook email domains, and implementation for the remaining Outlook and Hotmail domains for consumer email is expected to be completed by the end of 2024.

Exchange Online is excited about the impact SMTP DANE with DNSSEC will have on the email security landscape and is committed to providing the most secure email products in the industry, such as SMTP DANE with DNSSEC.

Target dates for future roadmap items are:

• December 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS reports in Exchange admin center
• December 2024 – March 2025
• Deploy inbound SMTP DANE with DNSSEC for all consumer Outlook and Hotmail domains (e.g. hotmail.nl)
• Conversion provisioning of all mail records newly created Whitelisted domains for DNSSEC-enabled infrastructure under *.mx.microsoft
• May 2025 – Required Outbound SMTP DANE, per-tenant/per-remote domain settings

Learn more about provisioning changes. Implementing Inbound SMTP DANE Using DNSSEC for Exchange Online Mail Flow.

Learn more about .microsoft and its subdomains. Introducing cloud.microsoft: A unified domain for Microsoft 365 apps and services.

We welcome your feedback on Inbound SMTP DANE with DNSSEC, especially the activation process. If you have any feedback or concerns, please leave a comment on this post and we will respond directly or contact you as necessary.

Microsoft 365 Messaging Team