Microsoft's DANE rollout for Exchange Online
Starting this month through May 2022, Microsoft will incrementally roll out outbound DANE support (*enabled by default*) for all hosted Exchange Online domains:
https://m365admin.handsontek.net/upcoming-release-outbound-smtp-dane-and-dns...
As previously announced in the blog post Support of DANE and DNSSEC in Office 365 Exchange Online, we will be adding support for SMTP DANE and DNSSEC to Exchange Online (EXO). DANE combined with DNSSEC is the state-of-the-art for securing email, and to optimize its effectiveness both standards will be enabled by default at the system level for all EXO customers.
If your cert rollover practices are sloppy, with transient certificate chain validation failures after each key/cert rollover, as stale TLSA records age out from caches or are only updated after problem reports, then this is a good time to either up your game, or stop publishing TLSA records. Having stale TLSA records that delay or break email delivery does neither you nor the people sending you email any good.
Please follow best-practice and pre-publish matching TLSA records for the upcoming certs a few TTLs before certificate deployment. If that's too hard, disable DANE until you can implement a more robust rollover process.
See also today's blog post "Exchange Online Introduces DANE and DNSSEC for Outbound Email" on https://practical365.com/exchange-online-dnssec-dane/.
-----Oorspronkelijk bericht----- Van: dane-users dane-users-bounces@sys4.de Namens Viktor Dukhovni Verzonden: vrijdag 7 januari 2022 03:04 Aan: dane-users@sys4.de Onderwerp: Microsoft's DANE rollout for Exchange Online
Starting this month through May 2022, Microsoft will incrementally roll out outbound DANE support (*enabled by default*) for all hosted Exchange Online domains:
https://m365admin.handsontek.net/upcoming-release-outbound-smtp- dane-and-dnssec-in-microsoft-365-exchange-online/
As previously announced in the blog post Support of DANE and DNSSEC in Office
365 Exchange Online, we will be adding support for SMTP DANE and DNSSEC to Exchange Online (EXO). DANE combined with DNSSEC is the state-of-the-art for securing email, and to optimize its effectiveness both standards will be enabled by default at the system level for all EXO customers.
If your cert rollover practices are sloppy, with transient certificate chain validation failures after each key/cert rollover, as stale TLSA records age out from caches or are only updated after problem reports, then this is a good time to either up your game, or stop publishing TLSA records. Having stale TLSA records that delay or break email delivery does neither you nor the people sending you email any good.
Please follow best-practice and pre-publish matching TLSA records for the upcoming certs a few TTLs before certificate deployment. If that's too hard, disable DANE until you can implement a more robust rollover process.
-- Viktor.
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
participants (2)
-
Knubben, Bart
-
Viktor Dukhovni