windows

How to Set up Inbound SMTP DANE with DNSSEC in Exchange Online

GURU
By GURU Add a Comment
How to Set up Inbound SMTP DANE with DNSSEC in Exchange Online

Outbound SMTP DANE with DNSSEC functionality was set up by Microsoft in March 2022. You didn’t have to do anything for that. However, it took them extra years before they finally added it for Inbound mail flow. In this article, you will learn how to configure Inbound SMTP Dane with DNSSEC in Exchange Online.

What are SMTP DANE and DNSSEC?

  • SMTP DANE (DNS-based Authentication of Named Entities) is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks.
  • DNSSEC (Domain Name System Security Extensions) is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.

Note: Microsoft includes Inbound SMTP DANE with DNSSEC for free as part of its efforts to improve email security for everyone. You don’t have to configure Outbound SMTP DANE with DNSSEC because Microsoft has added that since March 2022.

Configure Inbound SMTP DANE and DNSSEC in Exchange Online

To set up Inbound SMTP DANE and DNSSEC in Exchange Online (Microsoft 365), follow the below steps:

Step 1. Verify domain is DNSSEC-signed

To receive full security benefits of the feature, ensure that the domain is DNSSEC-signed:

  1. Go to Verisign DNSSEC Debugger tool
  2. Fill in the domain name
  3. Press Enter
  4. Verify that all fields have a green checkmark
Verify domain is DNSSEC-signed with DNSSEC Debugger tool

If the domain is not DNSSEC-signed, ensure that you enable it in your DNS registrar before proceeding. Suppose your registrar does not have this feature available, move your domain to another registrar with DNSSEC support.

Step 2. Update existing MX record TTL in DNS registrar

  1. Sign in to your DNS registrar
  2. Edit the existing MX record
  3. Lower the TTL for your existing MX record to 1 minute
  4. Ensure that your MX record priority is set to 0 or 10
  5. Click Save
Update existing MX record TTLUpdate existing MX record TTL
  1. Wait for the previous TTL to expire before proceeding. For example, if the TTL of the existing MX record was 1 hour, you must wait 1 hour before proceeding to the next step.

Step 3. Connect to Exchange Online PowerShell

Run PowerShell as administrator and Connect to Exchange Online PowerShell.

Connect-ExchangeOnline

Step 4. Enable DNSSEC for domain

Enable DNSSEC for the domain with the below command.

Enable-DnssecForVerifiedDomain -DomainName "alitajran.com"

The below output appears.

DnssecMxValue                   Result  ErrorData
-------------                   ------  ---------
alitajran-com.k-v1.mx.microsoft Success

Step 5. Add new MX record to DNS registrar

  1. Go to your DNS registrar
  2. Create a new MX record
  3. Copy the DnssecMxValue from the output in the previous step and paste it in as the value
  4. Set the TTL to 1 minute
  5. Set the priority of the new MX record to 20
  6. Click Save
Add new MX recordAdd new MX record

Step 6. Verify new MX record

  1. Go to Inbound SMTP Email test
  2. Fill in an email address that ends with your domain
  3. Click Perform Test
Inbound SMTP email testInbound SMTP email test
  1. The output shows the test is successful for the MX ending with mx.microsoft
Inbound SMTP email test successfulInbound SMTP email test successful

Step 7. Remove old MX record in DNS registrar

  1. Go to your DNS registrar
  2. Remove the old MX record
Remove old MX recordRemove old MX record

Step 8. Change priority new MX record in DNS registrar

  1. Edit the new MX record in DNS registrar
  2. Change priority to 0
  3. Click Save
Change priority new MX recordChange priority new MX record

Step 9. Verify DNSSEC validation

  1. Go to DNSSEC and DANE Validation Test
  2. Fill in the domain name
  3. Ensure that you select test type DNSSEC Validation
  4. Click Perform Test
DNSSEC validation testDNSSEC validation test
  1. The screen shows the DNSSEC Validation test is successful for the MX ending with mx.microsoft
DNSSEC validation test successfulDNSSEC validation test successful

Step 10. Enable Inbound SMTP DANE for domain

Enable Inbound SMTP DANE for the domain with the below command when you are still connected to Exchange Online PowerShell.

Enable-SmtpDaneInbound -DomainName "alitajran.com"

The below output appears.

Result  ErrorData
------  ---------
Success

Important: Wait for 15-30 minutes before you proceed further because the TLSA record needs to propagate.

Step 11. Verify DANE Validation (including DNSSEC)

  1. Go to DNSSEC and DANE Validation Test
  2. Fill in the domain name
  3. Ensure that you select test type DANE Validation (including DNSSEC)
  4. Click Perform Test
DANE validation (including DNSSEC) testDANE validation (including DNSSEC) test
  1. The screen shows the DANE Validation (including DNSSEC) test is successful for the MX ending with mx.microsoft
DANE Validation (including DNSSEC) test successfulDANE Validation (including DNSSEC) test successful

Note: Exchange Online hosts multiple TLSA records to increase the reliability of a success of SMTP DANE validations. It’s expected that some of the TLSA records may fail validation. As long as 1 TLSA record is passing validation, SMTP DANE is configured correctly and the email is secured with SMTP DANE.

That’s it!

Read more: How to check SPF/DKIM/DMARC are correctly set »

Conclusion

You learned how to set up Inbound SMTP DANE with DNSSEC in Exchange Online. Every Microsoft 365 organization should configure this for their accepted domains in Exchange Online to secure its inbound mail flow. Remember that it’s completely free.

Did you enjoy this article? You may also like Office 365 Recommended Configuration Analyzer. Don’t forget to follow us and share this article.

Share This Article
Leave a comment