Inbound SMTP DANE (DNS-Based Authentication of Named Entities) is a security protocol designed to secure email communication by ensuring the authenticity of the receiving mail server’s encryption certificates when emails are delivered via the Simple Mail Transfer Protocol (SMTP).

By default, SMTP doesn’t guarantee encryption, which makes it vulnerable to man-in-the-middle attacks. To secure email communication, SMTP can use STARTTLS, which upgrades a plain text connection to an encrypted one. However, STARTTLS by itself doesn’t verify the authenticity of the receiving mail server’s certificate, leaving it vulnerable to attacks where a malicious entity might impersonate the server.

DANE addresses this issue by enabling domain owners to publish their mail server’s encryption certificates in DNS records, which are protected by DNSSEC (Domain Name System Security Extensions). This allows sending mail servers to verify the authenticity of the receiving mail server’s certificate before establishing an encrypted connection.

When an email is received, the receiving mail server uses DANE to publish its certificate in the DNS, allowing the sending server to check the certificate’s validity before establishing a secure TLS connection. This ensures that emails are delivered over an encrypted connection and that the encryption certificate is trustworthy and has not been tampered with.

How to turn on inbound SMTP DANE in Office 365
How to turn on inbound SMTP DANE in Office 365

How does SMTP DANE work

  1. The sending mail server looks up the recipient domain’s DNS records for a TLSA (Transport Layer Security Authentication) record, which contains information about the recipient’s mail server certificate.
  2. If a valid TLSA record is found, the sending server verifies the receiving server’s certificate against the DNS record.
  3. Once validated, the email is sent over an encrypted connection using TLS.

SMTP DANE support in Office 365

Outbound SMTP DANE is active in Office 365 (Exchange Online) since March 2022. You can read the details here: Releasing: Outbound SMTP DANE with DNSSEC

Inbound SMTP DANE can be activate via Exchange Online PowerShell. See the details bellow.

How to configure outbound SMTP DANE for Exchange Online

Before you start configuring, you need to verify that the domain you use for email and for which you want to activate SMTP DANE has an active and valid DNSSEC. This is a basic prerequisite. If you do not have DNSSEC active on your domain, you need to activate DNSSEC first.

Activate DNSSEC for an authenticated domain in Exchange Online

The first configuration step is to activate DNSSEC for the domain on which you want to activate outbound SMTP DANE. Connect to Exchange Online using PowerShell.

Connect-ExchangeOnline

Activate DNSSEC for your Exchange Online verified domain.

Enable-DnssecForVerifiedDomain -DomainName "cswrld.com"

You will get a result that should be successful. This result includes a new MX record that will need to be set up for the domain.

DnssecMxValue                   Result  ErrorData
-------------                   ------  ---------
cswrld-com.f-v1.mx.microsoft    Success

You can now see this new MX record also in the Microsoft 365 admin center. This new MX record replaces your old MX record.

Modify MTA-STS

This step is very important. If you are using MTA-STS, you must edit the MX record address in MTA-STS before you switch the MX record for the domain. If you switched the MX record at the domain without modifying MTA-STS, you would stop receiving emails. This is because the new mail server has a completely different address.

If you do not have MTA-STS active, you can skip this step. Or take advantage of it and activate MTA-STS 🙂 You can read more about MTA-STS in here: How to enable MTA-STS in Office 365.

Your new MTA-STS should include both MX records now – the newly created MX record from the privous step and also your old MX record.

version: STSv1
mode: enforce
mx: cswrld-com.mail.protection.outlook.com
mx: cswrld-com.f-v1.mx.microsoft
max_age: 604800

Change MX records

Now you can switch MX records for your domain. Go to the DNS management for your domain and change the MX record value to the new MX record on the mx.microsoft domain generated via PowerShell in the first step.

Activate inbound SMTP DANE

It may take some time for the DNS change to take effect according to the set TTL. After the change takes effect, you can activate inbound SMTP DANE for your domain.

Enable-SmtpDaneInbound -DomainName "cswrld.com"

You should again get a result indicating success.

Result  ErrorData
------  ---------
Success

You can test the result via the Microsoft Remote Connectivity Analyzer. It may take up to 30 minutes for the changes to take effect.

It’s okay if you see errors on some TLSA records. Microsoft has issued 4 TLSA records for each domain just because of high availability. As long as at least one TLSA record is ok, everything works.

Modify MTA-STS

The last step is again to modify the MTA-STS file. The moment you are sure that the original MX record is no longer used anywhere, it is recommended to remove the record from the MTA-STS file. The final MTA-STS for my domain is as follows.

version: STSv1
mode: enforce
mx: cswrld-com.f-v1.mx.microsoft
max_age: 604800