SEPPmail.cloud and DANE/DNSSEC with Exchange Online

On July 17th 2024, the Exchange Engineering Teams announced the public preview of SMTP DANE with DNSSEC.

In a few words, DANE (DNS-based Authentication of Named Entities) and DNSSEC (Domain Name System Security Extensions) work together to improve email security by ensuring that the email server you’re connecting to is legitimate and the communication is secure.

• DNSSEC secures the Domain Name System (DNS) by ensuring that the responses to
  DNS queries (like finding the IP address of an email server) haven’t been tampered
  with. It adds a layer of verification using digital signatures, preventing attackers from
  redirecting you to fake servers (DNS spoofing).
• DANE builds on DNSSEC by allowing email providers to publish the cryptographic
  certificates (TLS certificates) of their email servers in DNS records. This helps email
  clients verify that the server’s certificate is correct and hasn’t been replaced by a
  fake one.

So why makes DANE my E-Mail system more secure ?

DNSSEC and DANE mainly prevent man-in-the-middle attacks, ensuring that emails are
securely sent to the right server with verified encryption, enhancing the overall security
of email services. For more information on the exact details of DANE/DNSSEC read
https://labs.ripe.net/author/dennis_baaten/better-mail-security-with-dane-for-smtp/

DANE and SEPPmail.cloud

SEPPmail.cloud is ready for DANE/DNSSEC since a long time and a setup with Exchange online and SEPPmail.cloud is a great combination. You can leverage the benefits of DANE/DNSSEC in both parallel and inline scenarios, read details below.

Inline Mode with Exchange Online

In inline mode, where SEPPmail.cloud is the first line of defense and Exchange Online is connected via partner connectors, SEPPmail publishes automatically the correct TLSA certificate for the MX-record in DNS. But this will be effective only if the domain of the our client has DNSSEC enabled, which is in the hands of the client itself.

If DNSSEC is configured correctly, not only SEPPmail.cloud as the front to the internet handles E-Mail more securely, also the connection between SEPPmail.cloud and Exchange Online could profit a little from DANE. The connector we use today is certificate based, so that Microsoft only accepts the connection if our certificate is given. By letting us ensure the right certificate from Microsoft is delivered (and no DNS spoofing happened), it helps to cover that unlikely scenario as well and reduces the risk of a MITM-attack also on this attack-surface.

Parallel Mode with Exchange Online

In a parallel mode scenario, Microsoft is handling DNS queries for remote E-Mail servers, so the main part of the config has to be done there.

Changes on Exchange Online

For parallel, enabling DANE on Exchange Online makes a bigger difference, because the connections are coming from anywhere to Microsoft. DANE is making sure that those mails a delivered to the right place and that the E-mails, re-injected from SEPPmail.cloud back to Exchange Online, are also encrypted with TLS and delivered to the right servers.

To enable DANE in parallel Mode, just follow the instructions from Microsoft in the “Learn” articles. Basically the setup will create a new DANE-enabled MX-record you need to configure. Details are all in the link enable inbound.

For outbound E-Mails there is apparentlky nothing to do, as documented here Enable outbound.

Changes in the SEPPmail.cloud

In the SEPPmail.cloud you then need to change the forward servers in login.seppmail.cloud on your customer tenant to the one emitted by the Powershell command. This shall happen, well timed within the change of the MX-record. Check the mailflow afterwards in the SEPPmail.cloud by monitoring mailflow in the logs.

Tools:
To verify the DNSSEC configuration of an E-Mail domain use https://dnsviz.net/ (also linked in the “Support-Tools” menu of the SEPPmail.cloud portal)

Links:
Microsoft Learn article on DNSSEC/DANE: https://learn.microsoft.com/en-us/purview/how-smtp-dane-works