Microsoft Announces Enhanced Security Protocols for Exchange Online

The upcoming changes for Microsoft Exchange Online will add DANE for SMTP and DNSSEC, making emails more secure, especially against TLS downgrade attacks.

Exchange Online Usage Report Microsoft

has unveiled plans to bolster email tamper protection for Exchange Online, targeting a completion date in 2024. The forthcoming enhancements encompass the integration of Domain Name System (DNS)-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC). “DANE for SMTP authenticates certificates utilized for securing email communication with TLS, thereby safeguarding against TLS downgrade attacks,” says the announcement. Concurrently, DNSSEC contributes cryptographic verification of DNS records, aiming to thwart DNS spoofing and adversary-in-the-middle attacks.

Implementation Timeline and IT Department Adjustments

The security protocol additions are designated for inbound emails, culminating in the comprehensive security upgrades for Exchange Online. This transition necessitates the adoption of new Exchange Online subdomains, aptly labeled “mx.microsoft”. The initiation of this shift is scheduled for March 2024, presented as an opt-in public preview, with the projection for general availability set for July significant security benefits. While mail.protection.outlook.com will remain operational indefinitely, we will stop provisioning future Accepted Domain A records to this domain and it will not receive any new DNS enhancements such as SMTP DANE with DNSSEC.

Starting in March 2024 as part of the Public Preview, customers will be able to use the Microsoft 365 Admin Center and/or Exchange PowerShell to migrate their mail flow DNS records out of mail.protection.outlook.com and into the new subdomains under mx.microsoft in order to enable DNSSEC for a particular Accepted Domain then enable SMTP DANE on that DNSSEC-enabled Accepted Domain.

Details from the Official Announcement

Delving into the specifics, the official announcement on Microsoft's Tech Community blog delineates that the support for inbound SMTP DANE with DNSSEC will materialize in two distinct phases. The initial unveiling in March 2024 will empower customers to activate SMTP DANE for Accepted Domains and transition existing domains into the newly established DNSSEC-enabled zones.

Subsequently, from July to December 2024, a gradual transition will see Microsoft reconfigure the provisioning of all A records for new Accepted Domains to the novel subdomains under mx.microsoft. The disclosure also sheds light on potential constraints and scenarios that may not receive immediate support, encompassing certain domains procured from Microsoft and setups involving 3rd party gateways.

Impact on Organizations and Future Developments

For organizations leveraging Exchange Online, adapting to these modifications is imperative for sustaining seamless email operations. The alterations are integral for fortifying the security and reliability of email delivery within the Microsoft 365 ecosystem. Microsoft remains steadfast in its commitment to aiding users through this transition, actively seeking feedback from the community to address any prevailing concerns or dependencies. The company has also outlined scenarios and domains that may face limitations in initial support, underscoring its proactive approach to keeping users informed and prepared.

Proactive Measures and Community Engagement

Microsoft is not only implementing these changes but is also actively engaging with the community and stakeholders. The company values feedback and has expressed a willingness to address concerns or dependencies that may arise due to these changes.