<SMTP DANE>

• SMTP DANE uses DNS to verify that the certificates used for email traffic are genuine and protects against TLS downgrade attacks.

<DNSSEC>

DNSSEC ensures that the DNS data itself cannot be manipulated en route, for example by a man-in-the-middle attack.

Microsoft offers this extra security free of charge to all Microsoft 365 users. You do not need to do anything for Outbound DANE, but you must activate Inbound DANE yourself.

<Step-by-step plan: Configuring Inbound SMTP DANE and DNSSEC in Exchange Online>

<Step 1>

• Go to the Verisign DNSSEC Debugger
• Enter your domain name
• Check that all fields have a green tick

Is your domain not signed? Enable DNSSEC at your registrar. Does your registrar not support it? Then it is wise to move your domain to a party that does.

Note: Wait for the old TTL to fully expire before proceeding.

<Step 2>

• Log in to your DNS administrator
• Lower the TTL (Time To Live) of your existing MX record to 1 minute
• Make sure the priority of your MX record is set to 0 or 10
• Save the changes

<Step 3>

• Start PowerShell as administrator.
  • Don't have the Exchange Online PowerShell module installed yet? Then you can easily add it with:
    _{Install-Module ExchangeOnlineManagement}
  • PowerShell may ask for permission to install from the PSGallery. Confirm this with ‘Yes’.
  • Then connect to Exchange Online:
    _{Connect-ExchangeOnline}

<Step 4>

• Run the following command:
  _{Enable-DnssecForVerifiedDomain -DomainName "jouwdomein.nl"}
• The result shows a new value (DnssecMxValue) that you need for the next step.

<Step 5>

• Create a new MX record with your DNS administrator
• Use the DnssecMxValue from the previous step
• TTL: 1 minute
• Priority: 20
• Save

<Step 6>

• Test via Inbound SMTP Email Test
• Enter an e-mail address ending in your domain
• Check if the test passes for the new MX record

<Step 7>

• Delete the old MX record in your DNS management

<Step 8>

• Change the priority of the new MX record to 0

<Step 9>

• Go to the DNSSEC en DANE Validatietool
• Choose DNSSEC Validation
• Check that everything is correct

<Step 10>

• Stay connected to Exchange Online and run:
  _{Enable-SmtpDaneInbound -DomainName "jouwdomein.nl"}

Important: Wait 15-30 minutes for the TLSA records to fully disperse.

<Step 11>

• Go to the Go to theDNSSEC en DANE Validatietool
• Choose DANE-validatie (inclusief DNSSEC)
• Check if the validation is successful

Note: Microsoft hosts multiple TLSA records for better reliability. If at least one TLSA record validates, your configuration is correct.

<Conclusion>

With these steps, you will better secure incoming e-mail traffic in Exchange Online against spoofing and downgrade attacks. And the best part: it costs you nothing extra. Every organisation that is serious about e-mail security should take this step. Especially now that even with Microsoft 365 you are no longer dependent on just basic settings.

Want to know if your e-mail domain is really set up properly? Then do the check via internet.nl/test-mail.

If you set up SPF, DKIM, DMARC, DNSSEC and DANE perfectly, you will achieve 100% and receive a place in internet.nl's Hall of Fame. A great recognition for your e-mail security and an important step towards a stronger digital foundation.

Source: Based on the guide from alitajran.com: Inbound SMTP DANE and DNSSEC Exchange Online.