Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online
We are thrilled to announce the Public Preview of Inbound SMTP DANE with DNSSEC, a new capability of Exchange Online that enhances the security of email communications by supporting two security standards: DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC).
The Public Preview for Inbound SMTP DANE with DNSSEC is currently rolling out. Instructions for implementing it in your tenant are at How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications. PowerShell cmdlets for implementing SMTP DANE are also available in your tenant.
SMTP DANE and DNSSEC
SMTP DANE uses a TLS Authentication (TLSA) DNS record to verify the identity of a destination mail server and provides a secure connection between sending and receiving mail servers that is resistant to both TLS-downgrade attacks and adversary-in-the-middle attacks (a form of eavesdropping where the communication is monitored or modified by a bad actor).
DNSSEC uses cryptographic signatures to ensure that the destination domain’s DNS records are authentic and were not tampered with in transit.
These two standards work together to prevent spoofing, hijacking, and interception of email messages.
Inbound SMTP DANE with DNSSEC benefits
By using SMTP DANE with DNSSEC, you can:
Better protect your email domain(s) from impersonation;
Help ensure your messages are delivered to the intended recipients using encryption and without being altered or redirected; and
Enhance your email reputation by demonstrating compliance with the latest security standards.
Improving Email Security
We released Outbound SMTP DANE with DNSSEC in 2022, and we’re excited to begin the Public Preview for Inbound SMTP DANE with DNSSEC. We are including Inbound SMTP DANE with DNSSEC in our enterprise and consumer email offerings at no charge as part of our efforts to improve email security for everyone. We urge other email providers and domain owners to adopt these standards and collectively raise the bar for email security and protect users from malicious actors.
We have already implemented inbound SMTP DANE with DNSSEC for several Outlook email domains, and we will complete the implementation for remaining Outlook domains (including Hotmail) by the end of 2024.
We are eager to see the impact of this feature on the email security landscape and we look forward to continuing to innovate and deliver an email offering with industry-leading security like SMTP DANE with DNSSEC.
Opt-in to the Public Preview Today
You can opt into the Public Preview today and start using inbound SMTP DANE with DNSSEC by following the enablement steps in this documentation. We welcome your feedback and suggestions for improving this feature, as well.
Email Security Roadmap
Our target dates for upcoming roadmap items are:
August 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
October 2024 – General Availability of Inbound SMTP DANE with DNSSEC
End of 2024
Deploying Inbound SMTP DANE with DNSSEC for all Outlook domains
Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
February 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain
Learn more about the provisioning change at Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow.
Learn more about .microsoft and its subdomains at Introducing cloud.microsoft: a unified domain for Microsoft 365 apps and services.
Feedback
We welcome your feedback and want to hear from you about your experience with Inbound SMTP DANE with DNSSEC. Please comment on this post if you have any feedback or concerns and we will reply or reach out to you directly as needed.
Microsoft 365 Messaging Team (formerly the Exchange Online Transport Team)
Microsoft Tech Community – Latest Blogs –Read More