Exchange Online strengthens email security with full support for DANE and DNSSEC

Microsoft has once again improved email security within Exchange Online by providing full support for DANE (DNS-based Authentication of Named Entities) and DNSSEC (Domain Name System Security Extensions). This implementation, rolled out in two phases, increases the protection of both inbound and outbound e-mail communications against various threats, such as man-in-the-middle attacks and DNS manipulation.

What are DANE and DNSSEC?

DNSSEC is a security protocol that adds digital signatures to DNS records, preventing DNS data from being manipulated by malicious parties. This prevents attacks such as DNS spoofing and cache poisoning, in which hackers inject fake DNS records to redirect users to malicious Web sites. DNSSEC uses cryptographic authentication to ensure that the DNS information a user receives is authentic and unchanged.

DANE builds on DNSSEC and allows domain owners to publish TLS certificates directly in their DNS records. This means that email servers can verify that a receiving server has a valid certificate before establishing an encrypted connection. This significantly reduces the risk of man-in-the-middle attacks and downgrade attacks.

Why are DANE and DNSSEC important for email security?

Traditionally, e-mail security relies on opportunistic TLS, where e-mail servers attempt to establish an encrypted connection but fall back to an unsecured connection when TLS is not available. This makes e-mail traffic vulnerable to attacks in which malicious actors can bypass encryption.

With DANE and DNSSEC, this problem is solved by:

• Email server authentication – Senders can verify that they are communicating with a legitimate server.
• Protection against downgrade attacks – Emails are always sent over an encrypted connection.
• Increased reliability – DNSSEC prevents manipulation of DNS records, making e-mail traffic more secure.

Rollout in two phases

1. Outbound email (Outbound SMTP DANE with DNSSEC) In February 2022, Microsoft began implementing DANE and DNSSEC for outbound email in Exchange Online. This feature is enabled by default for all Exchange Online customers and requires no additional configuration. Emails to domains properly configured with DANE and DNSSEC benefit from enhanced security. If the receiving domain does not support these standards, it falls back to opportunistic TLS.
2. Inbound e-mail (Inbound SMTP DANE with DNSSEC) As of July 2024, support for inbound e-mail with DANE and DNSSEC was made available in a public preview. In April 2025, this feature became generally available, providing Exchange Online with full support for both inbound and outbound email security with DANE and DNSSEC.

Benefits for Exchange Online users

• Better protection against downgrade attacks: Emails are always sent over an encrypted TLS connection.
• Enhanced server authentication: The identity of email servers is validated, making it significantly more difficult for attackers to impersonate legitimate servers.
• Enhanced integrity and confidentiality: Email data remains protected from manipulation, phishing and unauthorized access.
• Compliance with industry standards: Organizations are more compliant with regulations such as GDPR and NIST data protection guidelines.

Important points of interest

• Correct configuration essential: For optimal security, both sending and receiving domains must implement DANE and DNSSEC correctly. Incorrect configuration at the receiving end can cause emails to be blocked or misdelivered.
• Use of diagnostic tools: Microsoft offers the DANE and DNSSEC Validation test through the Remote Connectivity Analyzer, which can effectively detect and resolve configuration issues.
• Future obligations: Starting May 2025, the use of outbound SMTP DANE will be mandated per tenant and per external domain. Organizations should prepare for this change to avoid operational disruptions.

Conclusion

The addition of DANE and DNSSEC to Exchange Online is a significant step forward in email security. Are you working with Exchange Online? Then it is recommended that you actively implement and properly configure these security options for both incoming and outgoing e-mail. This will ensure that your organization remains optimally protected against modern threats and that you meet the latest guidelines and compliance requirements in email security.