Microsoft has implemented SMTP MTA Strict Transport Security (MTA-STS) capability to Exchange Online to safeguard the integrity and security of Office 365 users’ email communication. Redmond initially disclosed MTA-STS in September 2020, following the announcement that it was working on adding inbound and outbound support for DNSSEC (Domain Name System Security Extensions) and DANE (DNS-based Authentication of Named Entities) for SMTP.
“We have been validating our implementation and are now pleased to announce support for MTA-STS for all outgoing messages from Exchange Online,” as said by the Exchange Online Transport Team. With the addition of MTA-STS to Office 365, emails sent over Exchange Online will only be sent using connections that include both authentication and encryption, safeguarding communications against interception and attack attempts.
This new standard improves the security of Exchange Online email. It addresses several SMTP security issues, such as expired TLS certificates, a lack of support for secure protocols, and certificates not provided by responsible third parties or matching server domain names. Before MTA-STS, emails delivered via insecure TLS connections were vulnerable to downgrade and man-in-the-middle attacks.
Microsoft offers instructions for implementing MTA-STS, including storing the policy file on your domain’s web infrastructure. Redmond is still working on releasing DANE for SMTP (with DNSSEC support), which offers more SMTP connection security than MTA-STS.
“We will deploy support for DANE for SMTP and DNSSEC in two phases. The first phase, DANE and DNSSEC for outbound email (from Exchange Online to external destinations), is slowly being deployed between now and March 2022. We expect the second phase, support for inbound email, to start by the end of 2022,” said The Exchange Team.
Microsoft also stated that they are working on SMTP support for MTA-STS and DANE. At the absolute least, it recommends that clients use MTA-STS to encrypt their domains. Microsoft has already protected various domains it uses for email delivery as a domain owner itself, including key names like outlook.com, hotmail.com, and live.com. All connections from senders who support MTA-STS will be better secured from man-in-the-middle attacks due to this.