In this post, you will learn how to enable and use SMTP DANE with DNSSEC in Exchange Online.
While outbound SMTP DANE with DNSSEC in Exchange Online has been enabled since 2022, Microsoft is has rolling out inbound SMTP DANE with DNSSEC in Exchange Online since late 2024.
For a deeper understanding of DNSSEC and DANE, take a look at my earlier blog post.
How SMTP DANE with DNSSEC works
SMTP DANE is a security protocol that uses DNSSEC to verify the authenticity of TLS certificates used for securing email communication. It helps protect against attacks such as TLS downgrade and man-in-the-middle attacks by ensuring that the certificates and encryption settings used in mail server communications are authentic and trustworthy.
While SPF, DKIM, and DMARC focus on verifying the authenticity of email messages and ensuring they are sent from authorized domains, SMTP DANE focuses specifically on securely establishing TLS connections between mail servers. By leveraging DNSSEC to publish certificate information directly in DNS, SMTP DANE ensures that the sending mail server connects to the intended receiving mail server with verified encryption, enhancing the overall security of email transport.
The flow of SMTP DANE on a mailserver
- Outbound SMTP DANE with DNSSEC
sending mail server: Requests DANETLSArecords of the receiving domain’sMXrecord. - Inbound SMTP DANE with DNSSEC
receiving mail server: Requires DNSSEC and DANETLSArecords that can be requested by the sending mail server.
Prerequisites
-
Before you enable inbound SMTP DANE with DNSSEC in Exchange Online for a domain, you must have added the domain as an Accepted domain and the domain status must be Healthy in the Microsoft 365 Admin Center. The current domain’s
MXrecord must have a priority of0or10and must not have a fallback or secondaryMXrecord. -
Make sure that DNSSEC is enabled for your domain at your DNS provider.
- You can use the DNSSEC Analyzer from VeriSign, to check if your DNS provider have DNSSEC enabled for your domain.
-
You must be authorized to access Exchange Online PowerShell and to run the cmdlets.
-
The domain you want to secure with inbound SMTP DANE with DNSSEC must referenced to an
MXrecord such asyourdomain-com.mail.protection.outlook.com. -
To configure inbound SMTP DANE with DNSSEC for your Accepted Domain, such as
yourdomain.com, ensure that:- If this domain is referenced in any smarthost configurations, or in any connectors, you need to switch the smarthost name to
yourdomain-com.mail.protection.outlook.com - Your business partners update their connectors to
yourdomain.onmicrosoft.comoryourdomain-com.mail.protection.outlook.comto avoid failures. After enabling DANE, partners can switch to the newyourdomain-com.<random>.mx.microsoftendpoint to restore the original connection.
- If this domain is referenced in any smarthost configurations, or in any connectors, you need to switch the smarthost name to
Set up inbound SMTP DANE with DNSSEC in Exchange Online
Below is a simplified version of the implementation compared to the official Microsoft Learn documentation.
- Update the
TTLof your existingMXrecord to the lowest possible value (not lower than30seconds). Then, wait for the previousTTLto expire before proceeding. For example, if theTTLof your existingMXrecord was3600seconds or1hour before you changed it, you need to wait 1 hour before proceeding.
- Connect to Exchange Online PowerShell
If you’re using MTA-STS, you’ll need to set your policy mode to
testingduring configuration, and set it back toenforcedafter configuration.
- Enable DNSSEC on your accepted domain by running the cmdlet in PowerShell:
Enable-DnssecForVerifiedDomain -DomainName yourdomain.com
- Take the
DnssecMxValuevalue, navigate to the DNS registrar hosting the domain, add a newMXrecord:20 yourdomain-com.<random>.mx.microsoftand set theTTLto the lowest possible value (not lower than30seconds).
- Verify that the new
MXis working via the Inbound SMTP Email test
- Change the priority of the legacy
MXrecordyourdomain-com.mail.protection.outlook.comfrom current priority to30(30 yourdomain-com.mail.protection.outlook.com)
Wait a minute
- Change the priority of the new
MXrecord to0(0 yourdomain-com.<random>.mx.microsoft)
Wait a minute
- Delete the legacy
MXrecordyourdomain-com.mail.protection.outlook.com
Wait a minute
- Update the
TTLfor the newMXrecordyourdomain-com.<random>.mx.microsoftto3600seconds or1hour
- Enable SMTP DANE for that same domain once the DNSSEC enablement is complete by running the cmdlet:
Enable-SmtpDaneInbound -DomainName yourdomain.com
- Verify that the TLSA record has been propagated (this can take 15-30 minutes) by using the DANE Validation in Microsoft Remote Connectivity Analyzer
- Check the health of your domain’s
MXrecord in the Microsoft 365 Admin Center under ‘DNS Records’.
Cmdlets to get DNSSEC and SMTP DANE configuration settings in Exchange Online
# DNSSEC
Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com | Select-Object DnssecFeatureStatus
$DNSSEC = Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com
$DNSSEC.ExpectedMxRecord
$DNSSEC = Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com
$DNSSEC.DnsValidation
$DNSSEC = Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com
$DNSSEC.MxValidation
# DNSSEC - MTA-STS Policy validation (check the validation only if you use an MTA-STS policy)
$DNSSEC = Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com
$DNSSEC.MtaStsValidation
# SMTP DANE
Get-SmtpDaneInboundStatus -DomainName yourdomain.com
Check the TLSA record
The TLSA records are listed in: _25._tcp.yourdomain-com.<random>.mx.microsoft
Activate TLS Reporting (TLSRPT)
TLS Reporting (TLSRPT) is a standard that provides a way to report when the TLS connection could not be established during email transmission.
Implementation of TLSRPT
- Log in to your DNS hosting provider’s management console.
- Add a new TXT record with the following details:
| Host | Type | Value |
|---|---|---|
_smtp._tls.example.com |
TXT |
v=TLSRPTv1; rua=mailto:tlsrpt@example.com |
TLSRPT report handling
If a sending mail server is having trouble securely delivering mail to a receiving mail server, the sending mail server can use the receiving mail server’s TLSRPT record to find out where to send a report about the problem or to report a successful session.
The reports are received in .json, you can look for the summary tag to check if the TLS connection was failed or successful:
"summary":{"total-successful-session-count":1,"total-failure-session-count":0}