Microsoft Boosts Email Security with General Availability of Inbound SMTP DANE with DNSSEC
Microsoft announced the general availability of Inbound SMTP DANE with DNSSEC for Exchange Online, marking a significant step forward in email security. This powerful feature combines two robust security standards – DANE for SMTP and DNSSEC – to provide a fortified defense against sophisticated cyberattacks targeting email communications.
A Double Layer of Protection
- DNSSEC (Domain Name System Security Extensions): Safeguards DNS records from tampering using cryptographic signatures, effectively preventing DNS spoofing attacks that can redirect emails to malicious servers.
- DANE for SMTP (DNS-based Authentication of Named Entities): Leverages DNSSEC to securely publish TLS certificates for email servers, ensuring that connections are only established with legitimate servers using valid certificates. This thwarts TLS downgrade attacks that force connections to revert to insecure protocols.
Benefits for Exchange Online Users
By implementing Inbound SMTP DANE with DNSSEC, Microsoft empowers Exchange Online users with:
- Enhanced Security: Strengthens email communication by validating server identities and preventing man-in-the-middle attacks where bad actors intercept and manipulate emails.
- Improved Confidentiality and Integrity: Guarantees email encryption and authenticates recipient servers, safeguarding sensitive information and protecting against domain impersonation.
- Compliance: Demonstrates adherence to industry security standards, enhancing email reputation and fostering trust among users.
Expanding Email Security for All
This release complements the Outbound SMTP DANE with DNSSEC feature launched in 2022, completing Exchange Online’s comprehensive support for DANE. Microsoft is actively rolling out this feature across all Outlook and Hotmail domains, with full implementation expected by the end of 2024.
Microsoft’s commitment to email security is further underscored by its roadmap for upcoming enhancements, including an Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center, mandatory Outbound SMTP DANE, and the transition of mail records to DNSSEC-enabled infrastructure.