Kennisbank Beveiliging

How to Set Up Inbound SMTP DANE and DNSSEC for Microsoft 365

Leer hoe u inbound SMTP DANE en DNSSEC configureert voor Microsoft 365 om de beveiliging van uw e-mailverkeer te verbeteren.

How to Set Up Inbound SMTP DANE and DNSSEC for Microsoft 365

How to Set Up Inbound SMTP DANE and DNSSEC for Microsoft 365

A step-by-step guide to securing your inbound email with DNSSEC and DANE in Exchange Online.

Introduction

Microsoft enabled outbound SMTP DANE with DNSSEC automatically for Exchange Online in March 2022. However, inbound SMTP DANE requires manual configuration. Since 2024, Microsoft has made this feature available to all Microsoft 365 tenants at no additional cost.

This guide walks you through the complete process of enabling inbound SMTP DANE with DNSSEC for your Microsoft 365 domain, from verifying your DNSSEC status to validating the final TLSA records.

What Are SMTP DANE and DNSSEC?

DNSSEC (Domain Name System Security Extensions)

DNSSEC adds a layer of authentication to DNS responses. It cryptographically signs DNS records, protecting them from manipulation through man-in-the-middle attacks. When enabled, receiving mail servers can verify that DNS responses haven't been tampered with.

SMTP DANE (DNS-based Authentication of Named Entities)

SMTP DANE leverages DNSSEC to authenticate TLS certificates used by mail servers. It publishes TLSA records in DNS that specify which certificates a mail server should present. This prevents:

  • TLS downgrade attacks — where an attacker forces email to be sent unencrypted
  • Certificate spoofing — where a fake certificate is presented to intercept mail
  • DNS spoofing — where MX records are manipulated to redirect mail
How They Work Together DNSSEC ensures the DNS data (including MX and TLSA records) is authentic. DANE uses that trustworthy DNS data to verify the mail server's TLS certificate. Together, they create an end-to-end chain of trust for email delivery.

Prerequisites

  • A verified domain in Microsoft 365 / Exchange Online
  • A DNS registrar/provider that supports DNSSEC
  • Access to your domain's DNS management panel
  • PowerShell with administrator privileges
  • The Exchange Online PowerShell module (ExchangeOnlineManagement)
  • A Global Administrator or Exchange Administrator role in Microsoft 365

Step-by-Step Configuration

1

Verify DNSSEC Is Enabled for Your Domain

Before you begin, confirm that DNSSEC is active on your domain. Use the Verisign DNSSEC Debugger:

https://dnssec-debugger.verisignlabs.com/

Enter your domain name and verify that all validation fields show green checkmarks.

DNSSEC Not Enabled? If your domain shows as unsigned, you must enable DNSSEC at your domain registrar first. This typically involves generating DS records at your DNS provider and adding them to the registrar. The exact process varies per registrar. Allow time for propagation before continuing.
2

Lower the TTL of Your Current MX Record

In your DNS management panel, locate your existing MX record and reduce the TTL to 1 minute (60 seconds). This ensures the upcoming DNS changes propagate quickly and minimizes potential mail delivery disruption.

Type Name Value Priority TTL
MX @ yourdomain-nl.mail.protection.outlook.com 0 or 10 1 min
Important Wait for the old TTL to fully expire before proceeding to the next steps. If your previous TTL was 3600 (1 hour), wait at least 1 hour before continuing.
3

Install and Connect to Exchange Online PowerShell

Open PowerShell as an administrator and run the following commands:

Install-Module ExchangeOnlineManagement

Then connect to Exchange Online:

Connect-ExchangeOnline

Sign in with your Microsoft 365 administrator credentials when prompted.

4

Enable DNSSEC for Your Domain

Run the following command, replacing yourdomain.com with your actual domain:

Enable-DnssecForVerifiedDomain -DomainName "yourdomain.com"

This command will output a DnssecMxValue — a new MX hostname that supports DNSSEC. Copy this value; you will need it in the next step.

Note The generated DnssecMxValue will look similar to:
yourdomain-com.o-v1.mx.microsoft
Save this value — you'll use it as the new MX record value.
5

Create a New MX Record with the DNSSEC Value

Go back to your DNS management panel and add a new MX record using the DnssecMxValue from the previous step:

Type Name Value Priority TTL
MX @ (your DnssecMxValue) 20 1 min
Why Priority 20? Setting a higher priority number (lower priority) ensures the old MX record still handles mail while you verify the new record works correctly. This gives you a safe fallback.
6

Validate the New MX Record

Use Microsoft's Remote Connectivity Analyzer to verify the new MX record is working:

https://testconnectivity.microsoft.com/tests/O365InboundSmtp/input

Enter your domain name and run the Inbound SMTP Email test. Ensure all checks pass before continuing.

7

Remove the Old MX Record

Once you've confirmed the new MX record is functioning, delete the old MX record (the one pointing to *.mail.protection.outlook.com) from your DNS management panel.

Caution Only remove the old MX record after you have successfully validated the new one in Step 6. Removing it prematurely could disrupt mail delivery.
8

Update the New MX Record Priority

Change the priority of the new MX record from 20 to 0 (highest priority):

Type Name Value Priority TTL
MX @ (your DnssecMxValue) 0 1 min
9

Validate DNSSEC

Use Microsoft's DNSSEC and DANE Validation tool to confirm DNSSEC is correctly configured:

https://testconnectivity.microsoft.com/tests/O365DaneValidation/input

Enter your domain name and verify that DNSSEC validation passes.

10

Enable Inbound SMTP DANE

Back in PowerShell, run the following command to enable inbound DANE:

Enable-SmtpDaneInbound -DomainName "yourdomain.com"

This command instructs Microsoft 365 to publish TLSA records for your domain, which mail servers use to verify the TLS certificate.

Allow Propagation Time Wait 15–30 minutes for the TLSA records to fully propagate before proceeding to the final validation step.
11

Validate DANE Configuration

After waiting for propagation, return to the DANE Validation tool:

https://testconnectivity.microsoft.com/tests/O365DaneValidation/input

Run the test again. This time, both DNSSEC and DANE should show as validated.

Done! Your domain is now protected with inbound SMTP DANE and DNSSEC. Sending mail servers that support DANE will now cryptographically verify they are delivering to your authentic mail server over a properly encrypted connection.

Validation & Testing

After completing all steps, you can use the following tools to verify your configuration:

Tool Purpose Link
Verisign DNSSEC Debugger Verify DNSSEC chain of trust Open
Microsoft Inbound SMTP Test Validate MX record and mail flow Open
Microsoft DANE Validation Confirm DNSSEC + DANE status Open
internet.nl Mail Test Comprehensive email security test Open

Benefits

  • Prevents TLS downgrade attacks - mail must be encrypted; attackers cannot force plaintext delivery
  • Prevents DNS spoofing of MX records - DNSSEC ensures the authenticity of your mail routing records
  • Prevents certificate spoofing - DANE verifies the exact certificate the mail server must present
  • No additional cost - included in your existing Microsoft 365 subscription
  • Improves compliance scores - helps achieve full marks on internet.nl and similar email security audits
  • Industry standard - aligns with modern email security best practices (RFC 7672)

Troubleshooting

DANE validation fails after Step 11

TLSA records may take longer than 30 minutes to propagate in some cases. Wait up to 1 hour and re-test. If the issue persists, verify your MX record exactly matches the DnssecMxValue from Step 4.

Inbound SMTP test fails at Step 6

Double-check the new MX record value for typos. Ensure the record has propagated by querying it with nslookup or dig:

nslookup -type=MX yourdomain.com

DNSSEC Debugger shows failures

Ensure the DS records at your registrar match the DNSKEY records at your DNS provider. If you recently enabled DNSSEC, allow up to 48 hours for full propagation across all resolvers.

PowerShell commands fail

Ensure you're running the latest version of the ExchangeOnlineManagement module:

Update-Module ExchangeOnlineManagement

Also confirm your account has the required administrator role (Global Admin or Exchange Admin).

Reverting changes

If you need to roll back, you can disable DANE and revert to the original MX record:

Disable-SmtpDaneInbound -DomainName "yourdomain.com"
Disable-DnssecForVerifiedDomain -DomainName "yourdomain.com"

Then replace your MX record with the original *.mail.protection.outlook.com value and restore the TTL to your preferred setting.

dkim records

Addmin dkim records

Let say your domain name is: blablabla.com

two CNAME records: selector1._domainkey and selector1._domainkey with the value that is shown with this command in the powershel:

Get-DkimSigningConfig -Identity blablabla.com | Format-List Name,Enabled,Status,Selector1CNAME,Selector2CNAME

For example

Hostname: selector1._domainkey
Points to address or value: selector1-blablabla-com._domainkey.blablabla.onmicrosoft.com

Hostname: selector2._domainkey
Points to address or value: selector2-blablabla-com._domainkey.blablabla.onmicrosoft.com
(If your microsoft domain is blablabla.onmicrosoft.com)

Quick Reference — All PowerShell Commands

# Install Exchange Online module (one-time)
Install-Module ExchangeOnlineManagement

# Connect to Exchange Online
Connect-ExchangeOnline

# Enable DNSSEC (note the DnssecMxValue output)
Enable-DnssecForVerifiedDomain -DomainName "yourdomain.com"

# Enable Inbound SMTP DANE
Enable-SmtpDaneInbound -DomainName "yourdomain.com"

# --- Rollback commands (if needed) ---
Disable-SmtpDaneInbound -DomainName "yourdomain.com"
Disable-DnssecForVerifiedDomain -DomainName "yourdomain.com"