Microsoft announced this week plans to add official support for the DANE and DNSSEC protocols to its cloud-hosted email server offering -- known as Office 365 Exchange Online.
DANE and DNSSEC are two internet protocols for ensuring that communications take place over properly encrypted and authenticated connections.
The protocols involved in securely sending an email across the internet can be described as a cake, with different layers on top. Depending on how many email-related protocols a server supports, the more secure and safe email is.
At the base of all email traffic stands the ancient SMTP (Simple Mail Transfer Protocol), which defines a way for sending an email between email servers (gateways). Unbeknownst to most users is that SMTP does not support encryption and sends all emails in plaintext.
To fix this issue, the internet community has developed STARTTLS (SMTP Service Extension for Secure SMTP over Transport Layer Security) which is an add-on to the SMTP protocol to ensure that emails are sent encrypted between servers.
But the STARTTLS protocol, also known as "Opportunistic TLS," has two major flaws.
The first is that email traffic doesn't go directly from sender to receiver and passes through other email servers as it reaches its destination. An attacker on the email's travel path can pose as an ancient server and trick the sending server into downgrading the connection from STARTTLS to the weaker cleartext SMTP.
The second is that an attacker on an email's path can also trick the sender into thinking its the email's receiving server. This means that even if the connection is encrypted, the sending server will never know that email was diverted to the malicious server and never reached its intended destination.
DANE and DNSSEC add protection against these two issues, respectively.
DANE, which stands for DNS-based Authentication of Named Entities, allows server owners to broadcast to all other email servers that they support proper encryption and authentication.
Microsoft says that by supporting DANE, Exchange Online servers won't be tricked into downgrading STARTTLS to the weaker SMTP.
But while DANE adds countermeasures against the issue of downgrade attacks, DNSSEC hardens Exchange Online servers against the second SMTP/STARTTLS woe -- missauthenticating other email gateways.
DNSSEC, which stands for Domain Name System Security Extensions, fixes this by allowing email server owners a way to digitally sign DNS records and make sure nobody else can pass as their server.
Rollout in two phases
"The support of the above standards, especially DNSSEC, will require investment and architecture changes to the Microsoft infrastructure - an investment we believe is necessary to enhance protection for our customers," Microsoft engineers said in a blog post yesterday.
"As this will require significant work, we will be releasing DANE and DNSSEC for SMTP in two phases," Microsoft said.
"The first phase will include only outbound support (mail sent outbound from Exchange Online) and we aim to enable this by the end of the calendar year 2020. The second phase will add inbound support for Exchange Online and we plan to enable that by the end of 2021."
Microsoft said that besides DANE and DNSSEC, it would also add support for the SMTP TLS-RPT (SMTP TLS Reporting) standard to give Exchange Online server owners a tool to debug any errors that may arise when they enable DANE and DNSSEC on their email servers.