Exchange Online: Configure inbound SMTP DANE with DNSSEC

In this post, you will learn how to enable and use SMTP DANE with DNSSEC in Exchange Online.

While outbound SMTP DANE with DNSSEC in Exchange Online has been enabled since 2022, Microsoft is has rolling out inbound SMTP DANE with DNSSEC in Exchange Online since late 2024.

For a deeper understanding of DNSSEC and DANE, take a look at my earlier blog post.

How SMTP DANE with DNSSEC works

SMTP DANE is a security mechanism that uses DNSSEC to allow the sending (outbound) mail server to verify the TLS certificate of the receiving (inbound) mail server. This helps ensure that TLS connections between mail servers cannot be intercepted or downgraded, protecting against attacks such as TLS downgrade and man-in-the-middle attacks.

The flow of SMTP DANE on a mailserver

• Outbound SMTP DANE with DNSSEC sending mail server: Requests DANE TLSA records of the receiving domain’s MX record.
• Inbound SMTP DANE with DNSSEC receiving mail server: Requires DNSSEC and DANE TLSA records that can be requested by the sending mail server.
• TLS Reporting (TLSRPT): If the sending mail server encounters issues delivering an email, it can use the receiving server’s TLSRPT record to report the problem or confirm that the TLS session was successfully established.

Prerequisites

• Before you enable inbound SMTP DANE with DNSSEC in Exchange Online for a domain, you must have added the domain as an Accepted domain and the domain status must be Healthy in the Microsoft 365 Admin Center. The current domain’s MX record must have a priority of 0 or 10 and must not have a fallback or secondary MX record.

• Make sure that DNSSEC is enabled for your domain at your DNS provider.

  • You can use the DNSSEC Analyzer from VeriSign, to check if your DNS provider have DNSSEC enabled for your domain.

• You must be authorized to access Exchange Online PowerShell and to run the cmdlets.

• The domain you want to secure with inbound SMTP DANE with DNSSEC must referenced to an MX record such as yourdomain-com.mail.protection.outlook.com.

• To configure inbound SMTP DANE with DNSSEC for your Accepted Domain, such as yourdomain.com, ensure that:

  • If this domain is referenced in any smarthost configurations, or in any connectors, you need to switch the smarthost name to tenantname.mail.protection.outlook.com
  • Your business partners update their connectors to tenantname.onmicrosoft.com or tenantname.mail.protection.outlook.com to avoid failures. After enabling DANE, partners can switch to the new yourdomain-com.<random>.mx.microsoft endpoint to restore the original connection.

Set up inbound SMTP DANE with DNSSEC in Exchange Online

Below is a simplified version of the implementation compared to the official Microsoft Learn documentation.

1. Update the TTL of your existing MX record to the lowest possible value (not lower than 30 seconds). Then, wait for the previous TTL to expire before proceeding. For example, if the TTL of your existing MX record was 3600 seconds or 1 hour before you changed it, you need to wait 1 hour before proceeding.

2. Connect to Exchange Online PowerShell

If you’re using MTA-STS, you’ll need to set your policy mode to testing during configuration, and set it back to enforced after configuration.

3. Enable DNSSEC on your accepted domain by running the cmdlet in PowerShell: Enable-DnssecForVerifiedDomain -DomainName yourdomain.com

4. Take the DnssecMxValue value, navigate to the DNS registrar hosting the domain, add a new MX record: 20 yourdomain-com.<random>.mx.microsoft and set the TTL to the lowest possible value (not lower than 30 seconds).

5. Verify that the new MX is working via the Inbound SMTP Email test

6. Change the priority of the legacy MX record yourdomain-com.mail.protection.outlook.com from current priority to 30 (30 yourdomain-com.mail.protection.outlook.com)

Wait a minute

7. Change the priority of the new MX record to 0 (0 yourdomain-com.<random>.mx.microsoft)

Wait a minute

8. Delete the legacy MX record yourdomain-com.mail.protection.outlook.com

Wait a minute

9. Update the TTL for the new MX record yourdomain-com.<random>.mx.microsoft to 3600 seconds or 1 hour

10. Enable SMTP DANE for that same domain once the DNSSEC enablement is complete by running the cmdlet: Enable-SmtpDaneInbound -DomainName yourdomain.com

11. Verify that the TLSA record has been propagated (this can take 15-30 minutes) by using the DANE Validation in Microsoft Remote Connectivity Analyzer

12. Check the health of your domain’s MX record in the Microsoft 365 Admin Center under ‘DNS Records’.

Cmdlets to get DNSSEC and SMTP DANE configuration settings in Exchange Online

# DNSSEC
Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com | Select-Object DnssecFeatureStatus

$DNSSEC = Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com
$DNSSEC.ExpectedMxRecord

$DNSSEC = Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com
$DNSSEC.DnsValidation

$DNSSEC = Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com
$DNSSEC.MxValidation

# DNSSEC - MTA-STS Policy validation (check the validation only if you use an MTA-STS policy)
$DNSSEC = Get-DnssecStatusForVerifiedDomain -DomainName yourdomain.com
$DNSSEC.MtaStsValidation

# SMTP DANE
Get-SmtpDaneInboundStatus -DomainName yourdomain.com

Check the TLSA record

The TLSA records are listed in: _25._tcp.yourdomain-com.<random>.mx.microsoft

Rollback the change

Since we carefully added the DNSSEC-signed MX record mx.microsoft alongside the existing mail.protection.outlook.com MX record, you can safely make this change without worrying about inbound email interruption. If something does go wrong, the change can be rolled back by doing the following:

1. Disable SMTP DANE: Disable-SmtpDaneInbound -DomainName yourdomain.com
2. Create a new MX record in your public DNS with the following hostname value and set the priority to 20: yourdomain-com.mail.protection.outlook.com
3. Make sure the MX record you created in step 2 is working by using the Microsoft Remote Connectivity Analyzer
4. If mail flow works with the mail.protection.outlook.com MX record, run the following command: Disable-DnssecForVerifiedDomain -DomainName yourdomain.com
5. Delete the DNSSEC MX record in your public DNS: yourdomain-com.<random>.mx.microsoft
6. Make sure the MX record you created in step 2 is the only MX record, and that it’s set to priority 0 (highest priority)
7. Confirm that the MX record matches the value in the Microsoft 365 Admin Center -> Settings -> Domains (first, select the domain, then, select the DNS records)

Activate TLS Reporting (TLSRPT)

TLS Reporting (TLSRPT) is a standard that provides a way to report when the TLS connection could not be established during email transmission.

Implementation of TLSRPT

1. Log in to your DNS hosting provider’s management console.
2. Add a new TXT record with the following details:

TLSRPT report handling

If a sending mail server is having trouble securely delivering mail to a receiving mail server, the sending mail server can use the receiving mail server’s TLSRPT record to find out where to send a report about the problem or to report a successful session.

The reports are received in .json, you can look for the summary tag to check if the TLS connection was failed or successful:

"summary":{"total-successful-session-count":1,"total-failure-session-count":0}

Reference

• Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online
• How SMTP DNS-based Authentication of Named Entities (DANE) works
• DNSSEC Analyzer
• TLSRPT is defined in RFC8460
• TLS-RPT Record Checker