Exchange Online Gets Security Upgrade: SMTP DANE with DNSSEC in Public Preview

Microsoft has launched a public preview of the incoming SMTP DANE with the DNSSEC network for Exchange Online—a new feature designed to enhance the integrity and security of email communications. This feature protects against downgrade attacks and man-in-the-middle (MiTM) attacks.

The SMTP DANE security protocol employs the TLS Authentication (TLSA) DNS record to verify the authenticity of destination mail servers and the certificates used to secure communications. This ensures secure connections between sending and receiving servers, preventing downgrade and MiTM attacks, where attackers could intercept or alter messages.

Additionally, DNSSEC security extensions provide cryptographic validation of DNS records during their transmission, preventing spoofing, hijacking, and interception of email messages.

The implementation of SMTP DANE with DNSSEC in Exchange Online will safeguard email domains from impersonation, ensure message delivery only to intended recipients using encryption, and enhance email reputation by adhering to security standards.

The Exchange team has unveiled a deployment roadmap, stating that the new feature will be rolled out to all Outlook domains by the end of 2024. Microsoft will offer this feature to both corporate and home users at no cost and has announced that it is already enabled for some Outlook domains.

The incoming SMTP DANE with DNSSEC will be disabled by default. If you do not wish to enable this feature, no action is required. If you want to enable the option, follow the instructions in Microsoft’s documentation.

The company first announced its plans for public testing in September 2023, scheduling it from March to July 2024. However, due to additional security investments identified during private testing, the timeline was delayed.