In March 2022, Microsoft set up Outbound SMTP DANE with DNSSEC automatically. You didn't have to do anything for that yourself.

Inbound mail traffic (receiving e-mails), however, was a different story: there, it took until 2024 before Microsoft also made this functionality available.

In this article, we will explain step by step how to set up Inbound SMTP DANE and DNSSEC within Exchange Online.

What is SMTP DANE and DNSSEC?

• SMTP DANE (DNS-based Authentication of Named Entities) checks via DNS whether the certificates used for e-mail traffic are genuine, and protects against TLS downgrade attacks.
• DNSSEC (Domain Name System Security Extensions) ensures that the DNS data itself cannot be manipulated in transit, for example by a man-in-the-middle attack.

Microsoft offers this extra security for free to all Microsoft 365 users. For Outbound DANE, you don't have to do anything, but Inbound DANE you have to activate yourself.

STEPS: Configuring inbound SMTP DANE and DNSSEC in Exchange Online

1. Make sure your domain is DNSSEC-enabled

• Go to the Verisign DNSSEC Debugger
• Enter your domain name
• Check that all fields have a green tick

Is your domain not signed? Enable DNSSEC at your registrar. Does your registrar not support it? Then it is wise to move your domain to a party that does.

2. Lower the TTL of your existing MX record

• Log in to your DNS administrator
• Lower the TTL (Time To Live) of your existing MX record to 1 minute
• Make sure the priority of your MX record is set to 0 or 10
• Save the changes

Note: Wait for the old TTL to fully expire before proceeding.

3. Connect to Exchange Online PowerShell

• Start PowerShell as administrator.
  • Don't have the Exchange Online PowerShell module installed yet? Then you can easily add it with:
    _{Install-Module ExchangeOnlineManagement}
  • PowerShell may ask for permission to install from the PSGallery. Confirm this with ‘Yes’.
  • Then connect to Exchange Online:
    _{Connect-ExchangeOnline}

4. Activate DNSSEC for your domain

• Run the following command:
  _{Enable-DnssecForVerifiedDomain -DomainName "jouwdomein.nl"}
• The result shows a new value (DnssecMxValue) that you need for the next step.

5. Add a new MX record

• Create a new MX record with your DNS administrator
• Use the DnssecMxValue from the previous step
• TTL: 1 minute
• Priority: 20
• Save

6. Check the new MX record

• Test via Inbound SMTP Email Test
• Enter an e-mail address ending in your domain
• Check if the test passes for the new MX record
   

7. Delete the old MX record

• Delete the old MX record in your DNS management

8. Adjust the priority of your new MX record

• Change the priority of the new MX record to 0
• Save

9. Check DNSSEC validation

• Go to the DNSSEC en DANE Validatietool
• Choose DNSSEC Validation
• Check that everything is correct

• Activate Inbound SMTP DANE
• Stay connected to Exchange Online and run:
  _{Enable-SmtpDaneInbound -DomainName "jouwdomein.nl"}

Important: Wait 15-30 minutes for the TLSA records to fully disperse.

11. Check DANE validation (including DNSSEC)

• Go to the Go to theDNSSEC en DANE Validatietool
• Kies DANE-validatie (inclusief DNSSEC)
• Check if the validation is successful

Note: Microsoft hosts multiple TLSA records for better reliability. If at least one TLSA record validates, your configuration is correct.

 
Conclusion

With these steps, you will better secure incoming e-mail traffic in Exchange Online against spoofing and downgrade attacks. And the best part: it costs you nothing extra. Every organisation that is serious about e-mail security should take this step. Especially now that even with Microsoft 365 you are no longer dependent on just basic settings.

Want to know if your e-mail domain is really set up properly? Then do the check via internet.nl/test-mail.

If you set up SPF, DKIM, DMARC, DNSSEC and DANE perfectly, you will achieve 100% and receive a place in internet.nl's Hall of Fame. A great recognition for your e-mail security and an important step towards a stronger digital foundation.

Source:
Based on the guide from alitajran.com: Inbound SMTP DANE and DNSSEC Exchange Online.