Microsoft continues upgrading the Office suites
Back in September of 2020 Microsoft announced that it was experimenting with the addition of SMTP MTA Strict Transport Security (MTA-STS) support to Exchange Online. This was done in a bid to ensure the email communication and security of their Office 365 customers.
In a statement by Microsoft Exchange Online Transport Team
"We have been validating our implementation and are now pleased to announce support for MTA-STS for all outgoing messages from Exchange Online."
While it may not sound like a terribly exciting change, it truly is a big step forward. Now that the feature is in place in Office 365, any emails sent by users via Exchange Online will be delivered using connections with both authentication and encryption protocols. This is for protecting them from interception and attack attempts and includes both man-in-the-middle and downgrade attacks.
Again, per the Exchange Online Transport Team
"Downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker's server.
MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can't be negotiated, for example stop the transmission."
In addition to the feature addition, Microsoft has also provided guidance on how to adopt MTA-STS. This includes where to host the policy file on your domain's web infrastructure.
Microsoft plans two phases of DANE support
Additionally, the Exchange Team announced that they're in the process of rolling out DNS-based Authentication of Named Entities (DANE) for SMPT (with DNSSEC support). That provides better protection for SMTP connections than MTA-STS does.
The company's plan is to proceed slowly and in two phases. Phase I is to be completed by March 2022 and phase II is to be completed by year-end 2022. The team stressed that admins would be able to use both standards in the same domain at the same time, allowing them to account for senders who may exclusively use one or the other.
A brief history of DANE
November 2019: Better mail security with DANE for SMTP
Aril 2020: Support of DANE and DNSSEC in Office 365 Exchange Online
January 2022: How SMTP DNS-based Authentication of Named Entities (DANE) works
My perspective
Great news indeed. Kudos to Microsoft for its continuing efforts.
Understanding DANE and how to use it
is sort of like Gilligan's "three-hour tour"
By Denis Wilson
Thanks for reading this post. I always take into mind that your time and attention are precious. And these posts need to be timely, to the point, and short.
For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.
I am also a published author and speaker on cloud computing, work-at-home, and cybersecurity. I work extensively with business and professional associations to provide free small business technology education programs.
Contact me if you would like me to speak to your association
