Microsoft is making inbound SMTP DANE with DNSSEC generally available to customers of Exchange Online, the mail and collaboration software in Microsoft 365. This should help strengthen email security, especially for government agencies and other industries that have high-security requirements.
DANE (DNS-based Authentication of Named Entities) and DNSSEC (Domain Name System Security Extensions) work together to protect emails from man-in-the-middle attacks, downgrade attacks, and spoofing. Both protocols secure emails by ensuring an encrypted connection and verifying the identity of email servers through DNS signatures. This reduces the chances that malicious parties can impersonate legitimate email servers and intercept messages.
Outbound SMTP DANE mandatory by May 2025
In 2022, Microsoft introduced outbound SMTP DANE with DNSSEC, laying a foundation for broader adoption of these standards. With the addition of the inbound functionality, Microsoft is enabling a future-proof email security policy, the company itself said in a post. There is also a link there to an explanation of how to set up the protocols on a per-tenant basis.
The additional security layer will also become available for Outlook and Hotmail domains in the coming months. Microsoft further announced in the post that outbound SMTP DANE will become mandatory by May 2025, configurable per tenant and remote domain.
Multi-layered approach
DANE enables secure connections between mail servers based on DNS data. It uses TLSA records in the DNS to indicate which certificates can be trusted. That prevents e-mails from being intercepted or manipulated in transit by malicious servers. DNSSEC, in turn, is an extension of the DNS that adds encrypted signatures to the DNS information present, verifying that the data has not been altered. Thus, this is a multi-layered security approach.
In addition to SMTP DANE and DNSSEC, DMARC (Domain-based Message Authentication, Reporting, and Conformance) offers additional protection against e-mail spoofing. Whereas DANE and DNSSEC focus on securing the e-mail connection and server authentication, DMARC verifies that incoming e-mails really come from the individuals or entities they claim to be from.
Also read: Decades after its debut, SMTP still enables new phishing techniques