Microsoft has released the public version of the incoming SMTP Dane with DNSSEC for Exchange Online. This new feature aims to enhance the integrity and security of emails, protecting against download attacks and man-in-the-middle attacks.
The SMTP Dane Security Protocol leverages the TLS Authentication (TLSA) DNS record to verify the authenticity of mail destination servers and certificates, ensuring secure connections between sending and receiving servers. This helps prevent downgrade attacks and man-in-the-middle attacks where attackers can intercept or modify messages.
In addition, the DNSSEC security extensions provide cryptographic validation of DNS records during transmission, preventing spoofing, tampering, and interception of email messages.
Implementing SMTP Dane with DNSSEC in Exchange Online will safeguard email domains from impersonation, ensure messages are delivered only to intended recipients using encryption, and boost email reputation through compliance with security standards.
The Exchange team has outlined a deployment roadmap, with plans to roll out the new feature across all Outlook domains by the end of 2024. Microsoft will offer this capability to both corporate and home users at no cost and states that it is already enabled for some Outlook domains.
The incoming SMTP Dane with DNSSEC will be disabled by default. Users who wish to enable this option can follow instructions provided in Microsoft’s documentation.
The company first announced plans for public testing in September 2023, originally scheduled from March to July 2024. However, due to the need for additional security investments identified during private testing, the deadline has been postponed.