Exchange Online DANE Inbound Preview

Hi All,

Yesterday the Exchange Team has anouced the Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online.

Our target dates for upcoming roadmap items are:

• August 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
• October 2024 – General Availability of Inbound SMTP DANE with DNSSEC
• End of 2024
  • Deploying Inbound SMTP DANE with DNSSEC for all Outlook domains
  • Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
• February 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain

Basics

I’ve already written an Arcicle about how DANE - DNS based Authentification of Named Entities works.

One of the Prerequisits is that the Domain is using DNSSEC

• Switch explains DNSSEC in Detail

I moved one of my Domains to Hostpoint because theyr DNS supports DNSSEC

You can check if your DNS Supports DNSSEC by the following Tool

• Verisign DNS Debugger

Or use DNS over HTTPS from Google with the following Commands.

Note: AD = Authentic Data (the Answer is signed by DNSSEC)

$Domain = "icewolf.li"
$URI = "https://dns.google/resolve?name=$Domain&type=NS"
$json = Invoke-RestMethod -URI $URI
$json

Exchange Online commands

You need to have the ExchangeOnlineManagement PowerShell module 3.5.1

The Rollout of the Commandlets have been started and should be available until next Week.

• How can Exchange Online customers use Inbound SMTP DANE with DNSSEC (IN PREVIEW)?

Connect-ExchangeOnline -ShowBanner:$false
Get-Module
Get-Command *dnssec* -Module tmpEXO_*
Get-Command *dane* -Module tmpEXO_*

Let’s check for a Domain that has NOT enabled with DNSSEC

Get-DnssecStatusForVerifiedDomain -DomainName icewolf.ch

Let’s check the details

$DNSSec = Get-DnssecStatusForVerifiedDomain -DomainName icewolf.ch
$DNSSec.ExpectedMxRecord
$DNSSec.DNSValidation
$DNSSec.MxValidation
$DNSSec.MtaSts.Validation

Let’s check for a Domain that HAS enabled with DNSSEC

Get-DnssecStatusForVerifiedDomain -DomainName icewolf.li

$DNSSec = Get-DnssecStatusForVerifiedDomain -DomainName icewolf.li
$DNSSec.ExpectedMxRecord
$DNSSec.DNSValidation
$DNSSec.MxValidation
$DNSSec.MtaStsValidation

I did add *.h-v1.mx.microsoft to my MTA-STS Policy and set the Mode from “enforced” to “testing”

Did not help with the MtaStsValidation

$DNSSec = Get-DnssecStatusForVerifiedDomain -DomainName icewolf.li
$DNSSec.MtaStsValidation

A few weeks ago, i wrote an Article about Query the M365 DNS with the Graph Api

• Manage M365 DNS Records with PowerShell

Connect-MgGraph -Scopes Domain.Read.All -NoWelcome
$M365DNSRecords = Get-MgDomainServiceConfigurationRecord -DomainId icewolf.li
$M365DNSRecords | where {$_.RecordType -eq "MX"} | fl

Now let’s enable the Domain for DNSSEC

Enable-DnssecForVerifiedDomain -DomainName icewolf.li

Let’s check the Graph Api again - wow that was fast 😍

Connect-MgGraph -Scopes Domain.Read.All -NoWelcome
$M365DNSRecords = Get-MgDomainServiceConfigurationRecord -DomainId icewolf.li
$M365DNSRecords | where {$_.RecordType -eq "MX"} | fl

Add MX

Now i’ve added the MX with a priority of 20

IN MX 20 icewolf-li.h-v1.mx.microsoft

Let’s check the DNS

$Domain = "icewolf.li"
$URI = "https://dns.google/resolve?name=$Domain&type=MX"
$json = Invoke-RestMethod -URI $URI
$json.Answer.data

Connectivity Analyzer

First test the Inbound SMTP Email

Now let’s check the DNSSEC and DANE Validation Test

The TLSA Record is still missing for the *.mx.microsoft

Enable DANE SMTP Inbound

Now let’s enable DANE for SMTP Inbound

Get-SmtpDaneInboundStatus -DomainName icewolf.li
Enable-SmtpDaneInbound -DomainName icewolf.li
Get-SmtpDaneInboundStatus -DomainName icewolf.li

It takes between 15 and 30 Minutes until the TLSA Record is provisioned

Now we can remove the old MX Record

Let’s check the TLSA Record

$TLSAQuery = "_25._tcp.icewolf-li.h-v1.mx.microsoft"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$TLSAQuery&type=TLSA"
$json.Answer.data

Add DMARC and TLSRPT Records

Add the DMARC and TLSRPT Records

MTA-STS Policy

Set the MTA-STS Policy back to enforced

DMARC / TLSRPT Provider

I’ve added the Domain to my Dmarcadvisor Account and after a day it looked like this.

Even i had send some Mails from and to that Domain, no DMARC Reports have arrived so far

No TLSRPT Data has been received.

Summary

I’ve waited a long time to implement DANE in Exchange Online. The Process is fairly easy and the Tools supporting you are quite helpful. How’s your DANE journey going? If your Domain does not support DNSSEC, have you implemented MTA-STS?

Regards
Andres Bohren