Microsoft is rolling out inbound SMTP DANE with DNSSEC for Exchange Online in public preview, a new capability to boost email integrity and security.

As the Exchange team explained on Wednesday, DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) work together to defend against downgrade and man-in-the-middle (MiTM) attacks.

The SMTP DANE security protocol utilizes a TLS Authentication (TLSA) DNS record to verify the identity of destination mail servers and the authenticity of the certificates used for securing email communication.

This ensures secure connections between sending and receiving servers and helps prevent TLS-downgrade attacks and MiTM attacks, where malicious actors monitor or alter communications.

On the other hand, the DNSSEC DNS extensions provide cryptographic verification of DNS records during transit, preventing spoofing, hijacking, and interception of email messages.

Once enabled in Exchange Online, Inbound SMTP DANE with DNSSEC will protect email domains from impersonation, ensure that messages are delivered to the intended recipients using encryption without being altered or redirected, and enhance email reputation through compliance with the latest security standards.

The Exchange Team shared a rollout roadmap which says that the new capability will be deployed across all Outlook domains in late 2024:

• August 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
• October 2024 – General Availability of Inbound SMTP DANE with DNSSEC
• End of 2024
  • Deploying Inbound SMTP DANE with DNSSEC for all Outlook domains
  • Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
• February 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain

Microsoft will provide this new capability to enterprise and home customers for free and says it’s already enabled for some Outlook domains.

“We urge other email providers and domain owners to adopt these standards and collectively raise the bar for email security and protect users from malicious actors,” the Exchange Team said.

“We have already implemented inbound SMTP DANE with DNSSEC for several Outlook email domains, and we will complete the implementation for remaining Outlook domains (including Hotmail) by the end of 2024.”

After this new capability goes live, Microsoft will complete Exchange Online’s support for SMTP DANE with DNSSEC since outbound SMTP DANE with DNSSEC has been supported since March 2022.

The company initially announced in September 2023 that this public preview would roll out from March to July 2024. However, it was forced to delay it because of “necessary security investments” identified during the Private Preview stage.