DANE and DNSSEC are used to secure email. Properly securing email communication is a layered process and the larger number of supported protocols usually means the server is more protected. SMTP (Simple Mail Transfer Protocol) is the underpinning framework for all email traffic. This allows the method for sending communication between serves. One problem with SMTP is it’s an aging protocol that does not support encryption. That’s why the email industry has created STARTTLS (SMTP Service Extension for Secure SMTP over Transport Layer Security) to add an encryption layer on top of standard SMTP. However, even this adaptation has some problems. Firstly, email traffic does not move from sender to receiver directly. Instead, it moves through other email servers. Attackers are able to sit in wait on the sending path, posing as an old server to trick the STARTTLS encryption into downgrading to standard SMTP. Secondly, an attack could intercept the email travel path and confuse it into thinking it is the receiving server. Even if the email is encrypted with STARTTLS, the sending server will never know the email was intercepted.
New Protocol Support
These are problems Microsoft’s Office 365 Exchange Online server has faced. DANE and DNSSEC address these issues and protect against the problems detailed above. “The support of the above standards, especially DNSSEC, will require investment and architecture changes to the Microsoft infrastructure – an investment we believe is necessary to enhance protection for our customers,” Microsoft engineers said in a blog post yesterday. “As this will require significant work, we will be releasing DANE and DNSSEC for SMTP in two phases,” Microsoft said. “The first phase will include only outbound support (mail sent outbound from Exchange Online). We aim to enable this by the end of the calendar year 2020. The second phase will add inbound support for Exchange Online and we plan to enable that by the end of 2021.”