consulting DANE DMARC microsoft Office 365 Security

DANE SMTP for Exchange Online

by |Published -Updated

DANE support with DSSEC for Inbound SMTP Exchange Online 

Microsoft now support the use of SMTP DANE with DNSSEC to further secure inbound mail flow into Exchange Online.  This is free for any Exchange Online licenced mailbox.  Microsoft were going to only allow DANE support for E5 licenced mailboxes, but thankfully back-tracked. 

SMTP DANE is a new messaging security protocol that leverages DNS to check the authenticity of certificates used for TLS-securing email communication.  This provides protection against TLS downgrade attacks. DNSSEC is a supported set of extensions to DNS that provides cryptographic checks of DNS records.  This helps stop DNS spoofing and adversary-in-the-middle attack. 

This is an additional email security measure that should be adopted in addition to SPF, DKIM, and DMARC.   My recommendation is to make sure SPF is enforced with the –all  suffix, DKIM is used for signing outbound email, and DMARC is set to reject mode.    A DMARC monitoring tool is recommended as well. 

Other DANE benefits are: 

  • Helps stop TLS downgrade attacks.
  • Ensures email delivery is fully encrypted end to end.
  • Enhance your email delivery reputation by using the latest email security standards.

Microsoft are busy late 2024 and early 2025 in adopting SMTP DANE with DNSSEC for their own email domains such as Outlook.com and Hotmail.com . 

For Exchange Hybrid customers it is worth noting that support for SMTP DANE with DNSSEC will not be available for the hybrid used *.onmicrosoft.com domains until a later date.  Also, customers who use a 3rd Party gateway in front of Exchange Online will need that platform to support SMTP DANE with DNSSEC in order for Exchange Online to be able to fully adopt its elevated security benefits. 

https://techcommunity.microsoft.com/blog/exchange/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online-mail-flow/3939694

How to Enable SMTP DANE with DNSSEC for Exchange Online 

These steps should be used on a non-primary email domain first, to be familiar with the process and to do any testing required. 

You need to enable SMTP DANE on a selected custom email domain via Exchange Online Powershell.   Then you will be given a new MX target record for your domain that will be formatted differently.  Finally, you need to update your DNS MX Record to point to the new updated MX Record name.   Microsoft recommend initially using a higher cost, and not removing the current priority MX Record.   This will allow for testing before making the new MX record the lower cost (higher priority). 

TLSA Record 

Check that your DNS provider has a TLSA record present in your public DNS Zone File.   TLSA stands for TLS Authentication record, and is a required component that validates that your DNS zone file is the authority for your email domain name, and cannot be maliciously replaced for any email traffic.     DNSSEC needs to be enabled for your email domain by your DNS provider for TLSA to function.  

The recommended TLSA configuration for the DNS record is:

  • Certificate Usage field set to 3 
  • Selector field set to 1 
  • Matching Type field set to 1 

Enable DNSSEC in Exchange Online 

For email domain  widgets.com  that is an Accepted Domain in Exchange Online 

Start Exchange Online powershell and run this command 

Enable-DnssecForVerifiedDomain -DomainName widgets.com 

The success output provides the new MX record value, eg)   

widgets-com.o-v1.mx.microsoft 

Go to your DNS provider and leave the existing MX record in place, likley to be similar to:

widgets-com.mail.protection.outlook.com (10) 

Add New MX Record for DANE DNSSEC 

And add a new extra MX record for  

widgets-com.o-v1.mx.microsoft (20) 

Then use this tool to do a basic SMTP inbound test using the new MX record 

https://testconnectivity.microsoft.com/tests/O365InboundSmtp/input

Eg) 

widgets-com.o-v1.mx.microsoft (10) 

widgets-com.mail.protection.outlook.com (20) 

After testing the new MX record endpoint is working, you can make the new MX record a lower cost compared to the previous MX record. 

Enable DANE DNSSEC Support for Exchange Online 

You can now enable DANE support for the email domain in EXO powershell 

Enable-SmtpDaneInbound -DomainName widgets.com 

Wait 30 minutes, and then do a new SMTP test for DANE support via https://testconnectivity.microsoft.com/tests/O365DaneValidation/input  

Success.  Your Exchange Online instance now supports SMTP DANE with DNSSEC, and will use this protocol if the sender is also using it. 

Continue to enable SMTP DANE DNSSEC support for all of your other email domains.   Be aware of any services that use your previous FQDN for MX *.mail.protection.outlook.com  – as the sending systems will not be able to send once this MX target is removed from your public DNS zone file. 

DANE support is recommended, to stay current for email security, as email is targeted via more advanced threat vectors. 

Of note is that Microsoft have chosen to not provide DANE support for Exchange 2016/2019. 

If you need help or have questions on your SMTP DANE DNSSEC setup please reach out. 

https://techcommunity.microsoft.com/blog/exchange/announcing-public-preview-of-inbound-smtp-dane-with-dnssec-for-exchange-online/4155257

https://techcommunity.microsoft.com/blog/exchange/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online-mail-flow/3939694

You may also like

Microsoft Exchange 2019 Migration
Published

Microsoft Exchange 2019 Migration

Microsoft is due to release news on Exchange 2019 during this year, and we are likely to see the product late 2018.  […]

Exchange 2019 CU14 Installation and Advice
Published

Exchange 2019 CU14 Installation and Advice

If you are running Exchange 2019 in your environment, including as part of an Exchange Hybrid setup, then you should be running […]