Inbound SMTP DANE with DNSSEC in Exchange Online

Posted on Updated on by Christoffer Klarskov JakobsenCategories:Exchange Online, Security

Intro

This guide expains how to enable Inbound SMTP DANE with DNSSEC in your customers tenant.
Domains to be configured for this, will be domains present in your customers tenant.

Verify DNSSEC

  1. Visit https://dnssec-debugger.verisignlabs.com/ 
  2. Fill in the domain name you want to verify (customer domain)
  3. Verify that all fields have a green checkmark
  4. If DNSSEC is not enabled on the domain, visit the DNS management from the DNS hoster and enable DNSSEC on the domain (follow the DNS hosters guide to enable DNSSEC on the domain)

Update existing MX record TTL in DNS management system

  1. Sign in to the custmers DNS hosters management system
  2. Edit the existing MX record: Lower the TTL for the existing MX record to 1 minute
    Ensure that MX record priority is set to 20 or 30
  3. Wait until old TTL have expired

Enable DNSSEC for domain in Exchange Online

  1. Run PowerShell as administrator
  2. Run command:
    Connect-ExchangeOnline
  3. Run command:
    Enable-DnssecForVerifiedDomain -DomainName "customerdomain.dk"
  4. Note the output values, you will use in later step.

Add new MX record to domain

  1. Sign in to the custmers DNS hosters management system
  2. Create a new MX record
  3. Copy the DnssecMxValue from the output in the previous step and paste it in as the value
  4. Set the TTL to 1 hour. Set the priority of the new MX record to 10
  5. Create the record.

Verify new MX record

  1. Visit https://testconnectivity.microsoft.com/tests/O365InboundSmtp/input 
  2. Perform test.
  3. Make sure test is successful.

Remove old MX record

  1. Sign in to the custmers DNS hosters management system
  2. Remove the old MX record

Verify DNSSEC

  1. Visit https://testconnectivity.microsoft.com/tests/O365DaneValidation/input 
  2. Fill in the customers domain.
  3. Ensure that type is DNSSEC Validation.
  4. Perform test.
  5. Ensure that test is successful for DNSSEC.
    image.png

Enable Inbound SMTP DANE for domain

  1. Run PowerShell as administrator
  2. Run command:
    Enable-SmtpDaneInbound -DomainName "customerdomain.dk"
  3. Wait 15 minutes to allow for TLSA record to propagate in Microsoft backend.

Verify DANE Validation (including DNSSEC)

  1. Visit https://testconnectivity.microsoft.com/tests/O365DaneValidation/input 
  2. Fill in the customers domain.
  3. Ensure that type is DANE Validation (including DNSSEC).
  4. Perform test.
  5. Ensure that DNSSEC, TLSA and DANE is green:

Christoffer Klarskov Jakobsen

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *