Microsoft will add DNS-based Authentication of Named Entities (DANE) and DNSSEC to its email systems by the end of the year, the software giant has pledged.
“Today we are announcing that Exchange Online will be adding support for two new Internet standards specific to SMTP traffic," Microsoft's Exchange Transport Team said in a blog post this week. "These standards are DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based Authentication of Named Entities)."
The DANE protocol has been floated for nearly ten years. The German government mandated its use in 2016, for instance. Take-up, however, has been slow in much the same way the related DNSSEC protocol has taken a long time to take hold.
Implementing the protocol requires a significant investment of time and effort, not least because a misconfiguration can cause it to fail. Microsoft noted that adding DANE “will require investment and architecture changes to the Microsoft infrastructure.” It decided this effort is worth it, though, largely because existing protocols aren’t sufficiently secure. The ubiquitous SMTP email protocol “was designed a long time ago, when message delivery was considered more important than security,” the Microsoft team noted.
Salesforce takes the multi-signer DNSSEC ball and runs with itREAD MORE
SMTP is not secure, and while SMTP over TLS offers additional security through encryption, it is still potentially vulnerable: an eavesdropper on the network path can insert a server between you and the SMTP server you wish to reach, with this in-between machine masquerading as the legit service and presenting its own TLS encryption certificate. This man-in-the-middle snooper can inspect the content of messages as they flow from you, through this malicious middle node, to the desired destination. You may think your software is communicating securely with the genuine SMTP server, but it is in fact communicating with the fake.
DANE, however, allows email systems to use TLSA DNS resource records to determine an SMTP server is genuine before sending any message data. These resource records specify what a particular SMTP server's TLS certificate should look like. When connecting to, for example, mail.example.com, the DNS records for that domain name will define aspects of that server's TLS certificate, such as a hash value that acts as a fingerprint of the certificate.
If someone tries to man-in-the-middle your connection by impersonating the SMTP server, the TLS certificate it presents won't match the specifications in the server's domain name's DNS records, and thus the connection should be abandoned.
Here's Microsoft’s explanation: “DANE uses the presence of DNS TLSA resource records to securely signal TLS support to ensure sending servers can successfully authenticate legitimate receiving email servers. This makes the secure connection resistant to downgrade and MITM attacks.”
To the point: it’s secure email, and Microsoft will add it to Office 365 Exchange Online.
Highlighting the difficulty of deploying DANE across a large system, the Windows giant will roll it out in two phases. The first phase, to be completed by the end of 2020, will cover outbound email, and then the IT titan is giving itself another year, to the end of 2021, to cover inbound email.
The announcement was met with something bordering close to joy by DANE advocates. “Welcome to the DANE SMTP community, congratulations and thanks,” said Viktor Dukhovni, who helped develop the protocol and has been pushing for its adoption for years.
“If this comes to pass, we'll all owe Viktor a beer,” commented internet veteran Paul Vixie. “I can't easily describe what this could mean for the future of internet security. Real [life] security, not the theatrical kind. Viktor had been almost like a one-man band on this.”
Although there are quite a few email providers that offer DANE – Comcast perhaps being the largest – the addition of Microsoft to the list could prove to be a tipping point for the industry. As ever with DNS protocols, it is a slow-moving process because there’s little point in adopting a new protocol until everyone else has – a chicken-and-egg situation.
DANE rides on top of DNSSEC and requires domains to be DNSSEC-signed to work. Fortunately more and more domains do include DNSSEC records, though another problem is deciding what to do with emails to and from domains that aren’t signed. And then there are the endless misconfigurations that exist everywhere on the network.
With a giant like Microsoft saying it will adopt DANE, it provides an impetus to others to also take the jump and sign their domains as well as check their configurations. ®