Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online

Microsoft

Oct 28, 2024

Today, we are excited to announce the General Availability of Inbound SMTP DANE with DNSSEC! This new capability of Exchange Online enhances the security of email communications by supporting two sec...

Updated Jan 28, 2025

Version 2.0

Microsoft

Joined April 19, 2019

View Profile

Exchange Team Blog

You Had Me at EHLO.

En111_

Brass Contributor

Dec 16, 2024

Given the reliance on DNSSEC, what happens if you need to temporarily turn that off for a DNS migration? Does the order become: turn off DANE, wait, turn off DNSSEC, wait, reverse when the migration is done?

IanMcDonald

Microsoft

Jan 13, 2025

En111_ since DANE depends on DNSSEC, the DANE validations stop occurring if the domain isn't DNSSEC enabled. I'm not referring to misconfiguring DNSSEC and generating bogus replies, I'm saying that not having DNSSEC enabled at all will result in the DANE validations not taking place even if DANE is enabled for the domain. Disabling only DNSSEC will allow you to proceed with this migration.

The order for disabling DANE/DNSSEC would be:

Remove DS record for the domain in the domain's top-level/parent domain, wait for TTL to expire (DS record TTLs are usually 24 hours but can be cached longer)
Disable DNSSEC signing, wait for TTLs to expire (at least 24 hours)
Complete migration
Reenable DNSSEC signing and create the new DS in the top-level/parent domain for the domain in question

Blog Post

Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online

Share