Knowledge base

July 17, 2024

Microsoft announces public preview of Inbound DANE for Exchange Online!

🎉 F inally some good news for email security! Microsoft today announced the public preview of Inbound DANE (DNS-based Authentication of Named Entities) for Exchange Online. With DANE, you can establish TLS-authenticated connections and guarantee encrypted e-mail transport. This helps prevent Man-in-the-Middle attacks on e-mail.

Here is a comprehensive blog detailing the details and benefits of DANE for Exchange Online:

Benefits of DANE for Exchange Online

  • TLS Authenticated Connections:
    • Provides encrypted e-mail transport
    • Prevents Man-in-the-Middle attacks
  • Alternative to Mandatory/Mutual TLS:
    • No manual configuration required on either side per email domain
    • Easier and safer to use
  • Safer than MTA-STS:
    • MTA-STS works on the basis of “trust on first connection” principle
    • Does not always protect against DNS attacks
    • DANE provides better security against such attacks
  • Complementary Protocols:
    • DANE can be combined with other protocols such as Mandatory/Mutual TLS and MTA-STS
    • Provides a layered security strategy

Important for Dutch Government Agencies

🚀 F or Dutch government agencies, DANE is a mandatory protocol. Microsoft was under pressure to implement this because it was considered a blocking issue. Previously, it was necessary to use third-party solutions for Exchange Online to meet these requirements. Now we finally have a public implementation timeline from Microsoft.

Requirements for Using DANE

  • DNSSEC Required:
    • Your mail domain must support DNSSEC to use DANE
    • Currently DNSSEC is not supported in Azure DNS, but there may be updates that I missed
    • Personally, I use DNS domains with DNSSEC support elsewhere 🥳

Frequently Asked Questions about Inbound DANE for Exchange Online

1. What is DANE and how does it work?

DANE (DNS-based Authentication of Named Entities) is a protocol that enables TLS authentication using DNSSEC (DNS Security Extensions). It ensures that e-mail traffic is encrypted and authenticated, preventing Man-in-the-Middle attacks. By adding TLSA records to your DNS settings, recipients can verify that the encryption is legitimate and from the correct source.

2. Why is DANE more secure than MTA-STS?

DANE offers higher security because it uses DNSSEC to ensure the integrity of DNS records. This means that DANE is more resistant to DNS attacks, while MTA-STS relies on the first connection principle, which is less robust against certain types of attacks such as DNS spoofing.

3. Do I need DNSSEC for DANE?

Yes, DNSSEC is a requirement for using DANE. Without DNSSEC, the TLSA records needed for DANE cannot be reliably verified, negating the security benefits.

4. Is DNSSEC supported in Azure DNS?

Currently, Azure DNS does not support DNSSEC. This means you must host your DNS domains with another provider that does support DNSSEC in order to use DANE.

5. Can I combine DANE with other protocols such as MTA-STS and Mandatory/Mutual TLS?

Yes, DANE is complementary to other security protocols such as MTA-STS and Mandatory/Mutual TLS. You can use them together to create a layered and robust security strategy for your e-mail traffic.

6. How do I configure DANE for my Exchange Online domain?

Configuring DANE requires you to add TLSA records to your DNS settings. This includes publishing the public keys and certificate information used by the receiving servers to authenticate your encrypted connections. Refer to your DNS provider’s and Microsoft’s documentation for detailed steps.

7. Why is DANE important for Dutch government agencies?

For Dutch government agencies, DANE is a mandatory protocol. This ensures that e-mail traffic between government agencies and other parties is secure and reliable. By implementing DANE, these agencies are complying with national security standards and guidelines.

8. What are the benefits of using DANE instead of third-party solutions?

Using DANE instead of third-party solutions provides direct integration with your existing email infrastructure without relying on external services. This reduces complexity and cost, and increases the reliability and security of your e-mail traffic.

Conclusion

DANE for Exchange Online is a major step in e-mail security, essential for organizations with high security requirements, such as Dutch government agencies. It provides secure, encrypted e-mail connections without the need for manual configurations.

🚀 Zero Trust Email Security Package 🚀

Our Zero Trust Email Security Package provides complete configuration and monitoring of DANE, combined with other security protocols such as MTA-STS and Mandatory/Mutual TLS. This package provides:

  • Automatic configuration and monitoring of DANE
  • Integration with additional security protocols
  • Continuous monitoring and rapid incident response

Stay safe and secure with our Zero Trust Email Security Package! 🚀📧

Want to know more?

Get in touch
Microsoft kondigt publieke preview van Inbound DANE voor Exchange Online aan!