Microsoft adds SMTP MTA Strict Transport Security (MTA-STS) support feature in Exchange Online to improve Office 365 customers' email security. Redmond disclosed MTA-STS's release in September 2020. after mentioning that it was also adding inbound and outbound support for DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based verification of Known Entities). The Exchange Online Transport Team has been validating and implementing and is now ready to disclose support for MTA-STS for all outgoing messages via Exchange Online.
Office 365 now has MTA-STS, which means that emails sent by users with Exchange Online will be sent over connections having authentication and encryption. It will protect the mails from threat actors and hacking attempts. The new feature improves Exchange Online email security and resolves various SMTP security problems, it includes out-of-date TLS certificates, poor secure protocols support, and certifications not trusted by third parties or same server domain names. Before MTA-STS, emails sent via unsafe TLS connections were vulnerable to external threats like man-in-the-middle and downgrade attacks.
Exchange Team says "downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker's server. MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies." Microsoft offers assistance on adopting MTA-STS, this includes hosting of the policy files on the domain web infrastructure.
DANE for SMTP support
Redmond is currently working on starting DANE for SMTP with DNSSEC support, it provides better security for SMTP connections compared to MTA-STS. Microsoft has secured various domains for email transmission as a domain owner including primary domains such as hotmail.com and outlook.com and live.com. It means that connections from senders supporting MTA-STS are prevented from man-in-the-middle attacks.
Microsoft says "you can use both standards on the same domain at the same time, so customers are free to use both when Exchange Online offers inbound protection using DANE for SMTP by the end of 2022. By supporting both standards, you can account for senders who may support only one method."
