Next-Level Email Security: SMTP DANE and DNSSEC for Exchange Online

Introduction to SMTP DANE and DNSSEC

What is DNSSEC?
DNSSEC is a security extension of DNS, designed to protect against attacks like DNS spoofing or cache poisoning. It ensures that DNS responses are authentic by using digital signatures, allowing DNS resolvers to verify that the information has not been altered during transmission.

What is SMTP DANE?
DANE (DNS-based Authentication of Named Entities) is a protocol that enhances the security of SMTP (Simple Mail Transfer Protocol) by using DNSSEC to publish and verify certificates for encrypted mail delivery (TLS). DANE ensures that the email communication between mail servers is encrypted and trusted, reducing the risk of MITM (Man-in-the-middle) attacks.

Hov to verify you existing domain names used for SMTP are already configured correct.

Go to DNSSEC Debugger (verisignlabs.com)

Put in you Domainame and make sure there is green check marks.

so lets talk about the role that DNSSEC plays

The Role of DNSSEC in Securing DNS Queries

Prevents DNS Spoofing:
Without DNSSEC, attackers can exploit vulnerabilities in the DNS system to redirect users to malicious websites. In Exchange Online, DNSSEC ensures that DNS queries for MX records and other critical mail-related DNS records are accurate and unaltered.

Enables Trustworthy Communication in Exchange Online:
Exchange Online can use DNSSEC-validated DANE records to establish secure SMTP connections, ensuring that emails are delivered through the intended, secure server.

Now if thats all good, and we now know the DNS cannot be tampered, its time to bring SMTP DANE into the equation.

SMTP DANE, as defined in RFC 7672, uses a TLSA (Transport Layer Security Authentication) record in a domain’s DNS to signal that the domain and its mail servers support DANE. If there’s no TLSA record, mail flow continues normally without any DANE checks. The TLSA record not only confirms TLS support but also publishes the DANE policy for that domain. This allows sending servers to authenticate legitimate receiving servers via DANE, providing strong protection against MITM and downgrade attacks. Since DANE relies on DNSSEC, which digitally signs DNS records using public key cryptography, it ensures that DNS lookups are secure and unaltered. These DNSSEC checks happen on recursive DNS resolvers, which verify that the records haven’t been tampered with.

For this article i will assume you have your email hosted in M365 – where Microsoft are responsible for the TLSA record – otherwise if not, please read here on how to setup you own TLSA records:

https://learn.microsoft.com/en-us/purview/how-smtp-dane-works#what-are-the-components-of-dane

Why SMTP DANE and DNSSEC Matter for Your Organization’s Email Security

Improves Trust in Email Communication:
SMTP DANE with DNSSEC ensures that the server you are communicating with is authenticated, enhancing trust in email communication by using validated certificates.

Prevents Phishing and Spoofing Attacks:
Attackers cannot spoof DNS records or present fraudulent certificates when DNSSEC and DANE are implemented, mitigating phishing attempts and email spoofing.

So lets go ahead and enable it.

Remember this is still a preview feature.

And also please be aware of limitations and possible implications with 3.rd party email gateways https://learn.microsoft.com/en-us/purview/how-smtp-dane-works#limitations

How to enable DNSSEC in O365

For the domain that you want to enable SMTP DANE with DNSSEC for, you need to first enable DNSSEC on the domain by running the following command (replace “domain” with the name of your chosen domain, for example, test.com): Enable-DnssecForVerifiedDomain -DomainName

Copy the “DnssecMxValue” from step 3, go to your DNS registrar’s site where the domain is hosted, and create a new MX record using that value. Set the TTL to the lowest allowed value (but no less than 30 seconds), and assign a priority of 20 to the new MX record.

Why 20 ?

The priority is set to 20 so that it doesn’t interfere with the existing MX records while you’re testing. By assigning a higher priority number (since lower numbers have higher priority in MX records), you can keep your current MX record active and functional. This allows you to run tests using the new MX record (with priority 20) in tools like the connectivity analyzer without disrupting normal mail flow. Once the tests are successful, you can adjust the priorities as needed.

Now go to the analyzer and test the DNSSEC setting.

(https://testconnectivity.microsoft.com/tests/O365InboundSmtp/input) by expanding the Test Steps and verifying the Mail Exchanger ending in mx.microsoft was tested successfully. You may have to retry this test, depending on DNS caching.

If everything checks out you can now go ahead and delete the OLD MX record, and remember to change to value of the mx.microsoft record to 0 in priority.

After you have deleted the legacy records go ahead and enable SMTP DANE in the tenant.

Its done with this command Enable-SmtpDaneInbound -DomainName <DomainName>

Now get yourself a cup of mocca, as the TLSA propagation can take somewehre between 5 and 15 minutes.

After the coffe, go ahead and run the full DANE test in the analyzer

The result should look something like this

Conclusion

In conclusion, implementing SMTP DANE and DNSSEC in Exchange Online is like putting an iron-clad lock on your email security. By securing your DNS and ensuring encrypted, authenticated connections between mail servers, you’re not just protecting against today’s threats, but also future-proofing your organization against increasingly sophisticated attacks. With these technologies in place, you can confidently trust that your emails are safe, secure, and out of the hands of cybercriminals. So, why wait? It’s time to take your email security to the next level!

Series Navigation