Exchange Online Inbound Support for SMTP DANE for DNSSEC | More Secured SMTP

More Secured Exchange Online Inbound Support for SMTP DANE for DNSSEC details are available in this post. Exchange Online Inbound Support for DNSSEC DANE for SMTP is coming out soon. This method provides a more secure way of sending and receiving emails!

DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) is the industry standard protocols to secure SMTP mail transactions. The GA (general availability) of Inbound support for DNSSEC/DANE for SMTP is marked for July 2023.

Microsoft already released Exchange Online support for Outbound DNSSEC/DANE for SMTP. This feature is GA’d on January 2022. The new standards for SMTP help to fill the gaps in the current implementation of secure email transfer using Certificate Authorities (CA).

As you know, the current email encryption is based on TLS/SSL encryption and that is currently based on certificates issued by CAs. There are many security breaches to well-known Certificate Authorities, hence industry started moving to the more secure method.

Patch My PC

DNSSEC DANE Outbound Support for SMTP

Microsoft already added the Outbound SMTP DANE with DNSSEC back in Jan 2022. Microsoft planned to implement SMTP DANE for DNSSEC support in two phases.

The first phase is to add outbound support was implemented in January 2022. The inbound support will be added in July 2023. The additional reporting feature will help to identify issues with email flow proactively.

This reporting feature helps destination domain admins get fast insight into errors their senders may encounter, allowing them to fix them before they hear about those errors from Exchange Online customers.

More Secured Exchange Online Inbound Support for SMTP DANE for DNSSEC Fig. 1
More Secured Exchange Online Inbound Support for SMTP DANE for DNSSEC Fig. 1 Credits to MS

More Secured Exchange Online Inbound Support for DNSSEC DANE for SMTP

As per feature ID 63213, Microsoft is committed to providing world-class email security solutions and support for the latest Internet standards in order to provide advanced email protection for our customers.

Adaptiva

With this change, Microsoft Exchange online team is adding inbound support for DNSSEC/DANE for SMTP to Exchange Online. The feature ID for Outbound support is 63212. With this inbound and outbound support, the customers are entitled to have more Secured Exchange Online.

The DNSSEC works as explained below. The following screenshot shows DNS resource records in the zone contoso.com before and after zone signing.

Exchange Online Inbound Support for SMTP DANE for DNSSEC Fig. 2
Exchange Online Inbound Support for SMTP DANE for DNSSEC Fig. 2 – Credits to MS

NDR Error Codes with Exchange Online with SMTP DANE

Let’s look at the common NDR error codes with exchange online when using SMTP DANE. The table gives error codes and a description of each error code to help you in troubleshooting.

  • Sending Emails with SMTP DANE Error codes.
  • Receiving Emails with SMTP DANE Error codes.
NDR CodeDescription
5.7.321starttls-not-supported: The destination mail server must support TLS to receive mail.
5.7.322certificate-expired: The destination mail server’s certificate is expired.
5.7.323tlsa-invalid: The domain failed DANE validation.
5.7.324dnssec-invalid: Destination domain returned invalid DNSSEC records.
4/5.7.321starttls-not-supported: The destination mail server must support TLS to receive mail.
4/5.7.322certificate-expired: The destination mail server’s certificate has expired.
4/5.7.323tlsa-invalid: The domain failed DANE validation.
4/5.7.324dnssec-invalid: Destination domain returned invalid DNSSEC records.
More Secured Exchange Online Inbound Support for SMTP DANE for DNSSEC Table 1

Resources -> How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications

Author

AlokĀ is a Master of Computer Applications (MCA) graduate. He loves writing on Windows 11 and related technologies. He likes to share his knowledge, quick tips, and tricks with Windows 11 or Windows 10 with the community.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.