Exchange Online adds Inbound DANE with DNSSEC for everyone
Microsoft announced today that inbound SMTP DANE with DNSSEC for Exchange Online, a new capability to boost email security and integrity, is now generally available.
The company announced in September 2023 a public preview that would roll out from March to July 2024. However, it was forced to delay it because of "necessary security investments" identified during the Private Preview stage, and the public preview started this July.
Redmond will provide this new capability to home and enterprise customers for free and says it has already been enabled for some Outlook domains.
"Inbound SMTP DANE with DNSSEC has already been implemented for several Outlook email domains, and implementation for the remaining Outlook and Hotmail domains for consumer email is expected to be completed by the end of 2024," the Microsoft 365 Messaging Team said on Monday.
With this new capability now available to all tenants, Microsoft completes Exchange Online's SMTP DANE with DNSSEC support since outbound SMTP DANE with DNSSEC has been supported since March 2022.
The Exchange Team also shared a rollout roadmap today, which reveals that Microsoft will deploy this new capability across all consumer Outlook and Hotmail domains by March 2025:
- December 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
- December 2024 – March 2025
- Deploying Inbound SMTP DANE with DNSSEC for all consumer Outlook and Hotmail domains (as an example – hotmail.nl)
- Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
- May 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain
As the Exchange team explained today, Domain Name System Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) for SMTP defend against downgrade and man-in-the-middle (MiTM) attacks.
The SMTP DANE security protocol verifies the authenticity of the certificates used to secure email communication and the identity of destination mail servers via a TLS Authentication (TLSA) DNS record. This helps block TLS downgrade and MiTM attacks (in which malicious actors alter or snoop on a target's messages) by ensuring secure connections between sending and receiving servers.
DNSSEC DNS extensions also provide cryptographic verification of DNS records during transit, thus preventing spoofing, hijacking, and interception of email messages.
Once enabled, Inbound SMTP DANE with DNSSEC will protect Exchange Online email domains from impersonation and ensure that emails are sent to the intended recipients using encryption without being redirected or modified before they reach the intended recipient.
Microsoft provides more details on implementing Inbound SMTP DANE with DNSSEC for Exchange Online mail flow in this tech community post.
Russia targets Ukrainian conscripts with Windows, Android malware
New tool bypasses Google Chrome’s new cookie encryption system
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
