Exchange Online Gets Inbound SMTP DANE with DNSSEC to Boost Protection Against Cyberattacks
Microsoft has introduced support for Inbound SMTP DANE with DNSSEC for Exchange Online customers.
Published: Oct 29, 2024
Key Takeaways:
- Microsoft’s integration of SMTP DANE with DNSSEC for Exchange Online boosts email security by verifying server identities and enforcing encrypted communication.
- This security feature helps prevent TLS downgrade and DNS spoofing attacks.
- Microsoft will make SMTP DANE mandatory for outbound emails by May 2025.
Microsoft has announced the general availability of inbound SMTP DANE with DNSSEC for Exchange Online customers. This feature is designed to strengthen email security by integrating two advanced security standards.
Microsoft introduced the public preview of DANE with DNSSEC support for inbound email in June 2024. SMTP DANE (DNS-based Authentication of Named Entities) is a security protocol that uses DNS to verify certificate authenticity, ensuring secure email communication with TLS (Transport Layer Security) and preventing TLS downgrade attacks.
On the other hand, DNSSEC (Domain Name System Security Extensions) is a set of DNS extensions that provide cryptographic verification of DNS records. It helps to prevent DNS spoofing and adversary-in-the-middle attacks.
What are the benefits of SMTP DANE with DNSSEC?
Microsoft emphasized that SMTP DANE with DNSSEC brings valuable security and compliance benefits for Exchange Online customers. It prevents downgrade attacks by ensuring email communication always uses TLS and relies on DNSSEC-backed records to validate server identities.
SMTP DANE with DNSSEC allows organizations to ensure that email data is encrypted and the recipient server is authenticated. It also helps demonstrate compliance with industry security standards for email communication.
“Inbound SMTP DANE with DNSSEC will continue to be included in enterprise and consumer email offerings at no charge, as part of our efforts to improve email security. Other email providers and domain owners are encouraged to adopt these standards to collectively enhance email security and protect users from malicious actors,” the Exchange team explained.
Microsoft has already implemented SMTP DANE with DNSSEC support across several Outlook email domains and plans to extend this feature to all consumer Outlook and Hotmail domains by the end of this year. It will be mandatory for outbound emails to use DANE for SMTP by May 2025, which will be configured on a per-tenant or per-remote domain basis.