Key Takeaways:
- Microsoft is getting ready to introduce Inbound SMTP DANE with DNSSEC support for Exchange Online in 2024.
- The implementation of the security protocols should ensure encrypted and authenticated email communications as well as boost protection against adversary-in-the-middle attacks.
- Microsoft recommends IT admins to prepare for the change, and the company will also provide tools to assist in the migration process.
Microsoft announced this week plans to release the public preview of Inbound SMTP DANE with DNSSEC support for Exchange Online in 2024. The new tamper protection capabilities aim to bolster defenses against adversary-in-the-middle attacks in email communications.
Specifically, Microsoft will enable two internet protocols for Exchange Online, including the DNS-based Authentication of Named Entities (DANE) for SMTP and the Domain Name System Security Extensions (DNSSEC). DANE for SMTP is designed to verify certificates used to protect email communication with TLS (Transport Layer Security). Meanwhile, DNSSEC helps to ensure cryptographic verification of DNS records to block DNS spoofing and adversary-in-the-middle attacks.
Microsoft introduced outbound support for both security protocols in March 2022. Now, the second phase will enable this capability for outbound emails using Exchange Online in March 2024. As a part of this change, Microsoft will begin switching all “A record” domains used with Exchange Online to the new mx.microsoft subdomains.
“To support inbound SMTP DANE with DNSSEC, we built new DNS infrastructure for Exchange Online that will be secured by DNSSEC. This new architecture will impact legacy Exchange Online DNS infrastructure, specifically the domain mail.protection.outlook.com which is the domain that hosts current customers’ A records for mail flow to Exchange Online,” the Exchange team explained.
What does this change mean for IT admins?
Microsoft notes that the transition will begin in March 2024 as an opt-in public preview, and it’s expected to be complete in December 2024. The company warned that IT admins who have hard-coded the existing “mail.protection.outlook.com” domain for A records will need to prepare for this upcoming change. It’s also important to check for any auto-provisioning processes that could reference the older mail.protection.outlook.com domain.
In March 2024, Microsoft plans to release new tools to help organizations migrate their mail flow DNS records via the Microsoft 365 Admin Center or Exchange PowerShell. The company will also release a new wizard to switch DNS records to DNSSEC-secured domains. However, this process will work with accepted domains created before July 2024.