Enhancing the security of your organization’s communication channels is more critical than ever. Building on foundational protocols like SPF, DKIM, and DMARC, you can implement advanced technologies such as IPv6, DNSSEC, STARTTLS, DANE, and RPKI to secure Microsoft 365 email environments, specifically focusing on Exchange Online functionality. These protocols work in tandem to mitigate risks, protect against spoofing and phishing, and ensure the integrity and confidentiality of your email communications. Moreover, implementing these measures increases the chances of email delivery as many receiving email systems evaluate these security configurations to determine the authenticity and trustworthiness of messages.
Why Use SPF, DKIM, and DMARC Together?
SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) form the foundation of email authentication. SPF ensures only authorized servers can send emails on behalf of your domain, DKIM verifies the integrity of emails in transit using cryptographic signatures, and DMARC provides policies to handle unauthenticated messages while offering reporting capabilities. Together, these protocols prevent email spoofing and phishing attempts, ensuring only legitimate messages reach their destination. For detailed steps on setting up these protocols, see the article below
This article contains the following sections:
Overview of Advanced Security Protocols
IPv6
IPv6 replaces IPv4 with a vastly larger address space, improved routing, and mandatory support for IPsec. These enhancements reduce the risk of IP spoofing and improve packet processing, ensuring robust security for email transmissions.
DNSSEC
DNSSEC adds cryptographic signatures to DNS responses, validating their authenticity and protecting against DNS spoofing. It ensures the integrity of DNS records critical for SPF, DKIM, and DMARC authentication. DNSSEC enhances trust in email authentication protocols by safeguarding the DNS infrastructure from tampering. Importantly, this ensures that receiving systems have confidence in the validity of DNS records, improving email deliverability.
STARTTLS
STARTTLS upgrades plain text email transmissions to encrypted connections using SSL or TLS, protecting sensitive data from interception. While SPF, DKIM, and DMARC handle sender authenticity and message integrity, STARTTLS ensures the confidentiality of email content during transport. Secure email transmissions can help avoid deliverability issues with systems that require encryption for communication.
DANE
DANE binds SSL/TLS certificates to DNSSEC, providing an additional layer of trust. For inbound email, DANE validates the encryption certificates used during email delivery, preventing attacks on the certificate chain. For outbound email, it ensures secure communication with external recipients by validating encryption through TLSA records. DANE complements SPF, DKIM, and DMARC by guaranteeing secure encryption is in place for every email transaction. This additional security reassures receiving systems and can positively impact deliverability.
RPKI
RPKI secures internet routing by authenticating IP prefixes, preventing route hijacking. This ensures that email traffic is sent over authenticated routes, reducing the risk of email delivery disruptions and man-in-the-middle attacks.
Test results before configuration
Before starting the configuration I tested my current configuration at internet.nl, as you can see my configuration is failing IPv6, DNSSEC and STARTTLS and DANE configuration.
Step-by-Step Instructions for Inbound SMTP DANE
- Verify Prerequisites: Ensure that your domain’s DNS hosting provider supports DNSSEC. Additionally, verify that mail flow is configured correctly for Exchange Online.
- Enable DNSSEC: Enable DNSSEC with your domain’s DNS hosting provider to sign DNS records cryptographically. This step is critical to ensure DNS responses are authenticated and protected from spoofing.
Note: If your nameservers are hosted by Microsoft, DNSSEC is not natively supported in most cases. To enable DNSSEC, you may need to transfer DNS hosting back to your domain registrar or a provider that supports DNSSEC configurations.
- Update MX Records: Update the MX records of your domain to point to Microsoft’s mx.microsoft subdomains. This change ensures that emails are routed through Microsoft’s secure email infrastructure and will make the mx record available via IPv6,
Use the following PowerShell command in Exchange Online to enable DNSSEC for your domain:
Enable-DnssecForVerifiedDomain -DomainName <DomainName>
Replace <DomainName> with your domain name.- Make sure to update your MX record to the new value in your DNS settings.
- Verify that the TLSA record has been created, using the Microsoft Remote Connectivity Analyzer
- Enable SMTP DANE using the following command
Enable-SmtpDaneInbound -DomainName <DomainName>
Replace <DomainName> with your domain name.
- Test Configurations: Use online validators such as internet.nl or the Microsoft Remote Connectivity Analyzer to confirm that DNSSEC and TLSA records are correctly configured and functional.
- Monitor Mail Flow: Continuously monitor the flow of inbound emails to ensure proper delivery and identify any configuration issues.
As an Exchange Online customer, Outbound SMTP DANE with DNSSEC is something that is built for and it’s ON by default for all Exchange Online customers and is used when the destination domain advertises support for DANE.
Test results after Configuration
After implementation we now have a 100% score
Summary
Enhance your Microsoft 365 email security by integrating IPv6, DNSSEC, STARTTLS, DANE (inbound and outbound), and RPKI with existing SPF, DKIM, and DMARC configurations. These advanced protocols provide robust protection against spoofing, phishing, and data interception. By ensuring the integrity, authenticity, and confidentiality of your email communications, you create a secure environment for your organization. Additionally, these measures increase email deliverability by building trust with receiving email systems.