Windows News
Exchange Online DNS Security: DNSSEC Wizard, DANE & MTA-STS Connector Controls
Microsoft is rolling out a trio of DNS security enhancements for Exchange Online that promise to harden email infrastructure against spoofing, tampering, and downgrade attacks. The updates include a new DNSSEC wizard, expanded DANE (DNS-based Authentication of Named Entities) support for inbound SMTP, and connector-level controls for MTA-STS (Mail Transfer Agent Strict Transport Security). These features are currently in public preview and are expected to reach general availability later this year.
Why DNS Security Matters for Email
Email has long been a prime vector for cyberattacks. Without proper protections, attackers can intercept or redirect email traffic by exploiting weaknesses in DNS resolution. DNSSEC ensures that DNS responses are authenticated, preventing cache poisoning. DANE uses DNSSEC to bind a domain's TLS certificate, thwarting man-in-the-middle attacks. MTA-STS enforces TLS encryption for email transmission, preventing downgrade attacks. Together, these technologies form a layered defense for email traffic.
Microsoft's latest updates bring these capabilities directly into the Exchange admin center, making them more accessible to IT administrators. The DNSSEC wizard simplifies the process of signing domains, while DANE support for inbound connectors and MTA-STS controls give admins granular control over security policies.
The DNSSEC Wizard: Simplifying Domain Signing
One of the biggest barriers to DNSSEC adoption has been complexity. Administrators must generate keys, sign zones, and manage key rollovers. Microsoft's DNSSEC wizard aims to reduce that friction. The wizard walks admins through the process of enabling DNSSEC for custom domains used with Exchange Online. It handles key generation and signing automatically, then prompts the admin to update the domain registrar with the necessary DS records.
This is a significant improvement over manual DNSSEC configuration, which often requires scripting and deep DNS expertise. By integrating the wizard into the Exchange admin center, Microsoft lowers the barrier for organizations that want to protect their email domains from DNS spoofing.
However, the wizard does not eliminate all manual steps. Admins must still ensure their DNS provider supports DNSSEC and can accept DS records. Some registrars may charge extra for DNSSEC support. The wizard provides clear instructions, but the final step of publishing DS records remains a hands-on task.
DANE for Inbound SMTP: Strengthening Certificate Validation
DANE (DNS-based Authentication of Named Entities) lets domain owners publish TLSA records in DNS that specify which TLS certificate should be used for their mail servers. When combined with DNSSEC, DANE provides a strong guarantee that the connecting server is talking to the correct endpoint.
Exchange Online already supported DANE for outbound connections, where it acts as the sending server. The new preview extends DANE to inbound connections, meaning Exchange Online can validate TLS certificates of incoming mail servers using TLSA records. This protects against certificate spoofing and downgrade attacks.
To enable inbound DANE, admins must publish TLSA records for their own mail servers. The Exchange Online connector settings now include a checkbox to require DANE validation for inbound messages. When enabled, Exchange will check the TLSA record of the sending server and reject the message if the certificate doesn't match.
This is a powerful security control, but it requires coordination with external senders. If a sender hasn't published TLSA records or their DNS isn't DNSSEC-signed, inbound messages may be rejected. Admins should test carefully before enforcing DANE for all inbound traffic.
MTA-STS Connector Controls: Enforcing TLS for Email Transmission
MTA-STS (Mail Transfer Agent Strict Transport Security) is a standard that allows domains to declare that they only accept TLS-secured email. It uses a policy file hosted on a web server and is enforced via DNS. Microsoft's new MTA-STS controls give Exchange Online admins the ability to set MTA-STS policies for connectors.
Previously, MTA-STS was only available for the default inbound connector. The new controls allow admins to configure MTA-STS for specific connectors, giving them granular control over which domains or IP ranges require TLS enforcement. This is especially useful for hybrid deployments where some traffic goes to on-premises servers.
Admins can set policies to "none" (no enforcement), "testing" (log but don't reject), or "enforce" (reject non-TLS connections). The testing mode is valuable for gradual rollout - it lets admins identify non-compliant senders without disrupting mail flow.
Deployment Considerations and Community Feedback
Early feedback from IT administrators on Windows forums has been mixed. Some praise the wizard's simplicity, noting that it reduces the time to enable DNSSEC from hours to minutes. Others express concerns about the lack of automation for the registrar step. "The wizard is great, but I still have to log into GoDaddy and paste in the DS record. That's where mistakes happen," one admin commented.
Another common concern is the risk of breaking email delivery when enforcing DANE or MTA-STS. "We enabled MTA-STS enforcement for our domain and immediately started seeing rejections from a partner who hadn't updated their TLS certificate," reported a systems engineer. Microsoft recommends starting with testing mode and monitoring logs before moving to enforcement.
There are also questions about compatibility with third-party security gateways. Some organizations use email filtering services that act as intermediate hops. MTA-STS and DANE policies must account for these services to avoid false rejections. Microsoft's documentation advises adding gateway IPs to the connector's allowed list.
Step-by-Step: Enabling the New Security Features
To access the DNSSEC wizard, navigate to Exchange admin center > Mail flow > Domains. Select a custom domain and click "Enable DNSSEC." The wizard will guide you through key generation and provide the DS record to publish.
For DANE inbound support, go to Connectors > Inbound connector. Edit or create a connector and check "Require DANE for inbound messages." You must also publish TLSA records for your mail servers.
MTA-STS controls are found under Connectors > Inbound connector > Security. Choose a policy mode: None, Testing, or Enforce. In testing mode, violations are logged but messages are accepted. Review the logs before switching to enforce.
What This Means for Enterprise Security
These updates signal Microsoft's commitment to modern email security standards. For organizations subject to compliance frameworks like GDPR or HIPAA, DNSSEC and MTA-STS help meet requirements for data integrity and encryption. The new controls also reduce reliance on third-party tools for DNS security.
However, adoption will require careful planning. Admins should audit their DNS providers for DNSSEC support, coordinate with business partners, and use testing modes to validate configuration. Microsoft's roadmap suggests broader integration with Defender for Office 365 in future releases.
The Bigger Picture: Email Security in 2025
Email remains the number one attack vector for ransomware and phishing. DNS-based security measures like DNSSEC, DANE, and MTA-STS are no longer optional - they are becoming baseline requirements. Google, Yahoo, and other major providers have already mandated DMARC and TLS for bulk senders.
Microsoft's latest moves bring Exchange Online in line with these industry trends. The DNSSEC wizard lowers the barrier for small and mid-sized organizations that previously found DNSSEC too complex. DANE and MTA-STS controls give enterprises the granularity they need for hybrid environments.
One area that still needs attention is reporting. Admins want better dashboards to visualize DNSSEC signing status, DANE validation failures, and MTA-STS compliance. Microsoft has indicated that reporting improvements are in the pipeline.
Final Thoughts
The new DNS security features for Exchange Online are a welcome addition for any organization serious about email security. The DNSSEC wizard is a standout feature that could significantly boost adoption of a long-underutilized protocol. The DANE and MTA-STS controls provide the flexibility needed for complex mail flows.
If you're planning to deploy these features, start with a pilot domain. Enable DNSSEC using the wizard, publish TLSA records, and configure MTA-STS in testing mode. Monitor logs for a few weeks, then gradually enforce policies. This approach minimizes disruption while strengthening your email security posture.
Microsoft's preview period is an ideal time to test and provide feedback. The final release will likely incorporate adjustments based on community input. For now, the tools are available - it's up to administrators to put them to use.