To configure SMTP DANE with DNSSEC for incoming mail on Exchange Online, there are a number of steps that need to be completed:<\/p>\n\n\n\n
- \n
- Update the Time To Live (TTL) value of the existing MX record to the lowest possible value. Then wait at least the length of the previous TTL value before implementing the next step. If the previous TTL value was at, say, '3600 seconds' or '1 hour' before it was changed, you should wait at least 1 hour before performing step 2.<\/li>\n\n\n\n
- Connect to Exchange Online via the Connect-ExchangeOnline cmdlet<\/a> by entering in PowerShell the command
Connect-ExchangeOnline<\/code> execute.<\/li>\n\n\n\n- To use SMTP DANE with DNSSEC, DNSSEC must first be enabled. This can be done using the Enable-DnssecForVerifiedDomain cmdlet<\/a>. For warpnet.co.uk<\/em> the command looks like this:<\/li>\n<\/ul>\n\n\n\n
> Enable-DnssecForVerifiedDomain -DomainName \"warpnet.co.uk\"\n\nDnssecMxValue Result ErrorData\n------------- ------ ---------\nwarpnet-en.s-v1.mx.microsoft Success<\/code><\/pre>\n\n\n\n- \n
- Use the DnssecMxValue<\/strong> value to create a new MX record on the domain. Make sure it gets a priority value of 20 and uses the lowest possible TTL value.<\/li>\n\n\n\n
- Verify that the newly configured incoming mail server is working correctly by using the Inbound SMTP Email Test<\/a> from Microsoft. Unfolding the test steps reveals whether the new Mail Exchanger on the domain is mx.microsoft<\/strong> works correctly as shown in the screenshot below.<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/warpnet.nl\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-18.24.52-1024x565.png\")
<\/figure>\n\n\n\n- \n
- Delete the old MX record which ends in mail.protection.outlook.com<\/em>, mail.eo.outlook.com<\/em> or mail.protection.outlook.de<\/em>. Next, the TTL value of the MX record ending in mx.microsoft can be changed to 3600 seconds or 1 hour.<\/li>\n\n\n\n
- Verify that everything is working correctly by running the DNSSEC Validation <\/em>test in the Remote Connectivity Analyzer<\/a> from Microsoft for the domain as shown in the screenshot below.<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/warpnet.nl\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-18.30.39.png\")
<\/figure>\n\n\n\n- \n
- Once DNSSEC is enabled, SMTP DANE can also be used on the incoming mail server. To configure this, the Enable-SmtpDaneInbound cmdlet<\/a>. For warpnet.co.uk<\/em> the command looks like this:<\/li>\n<\/ul>\n\n\n\n
> Enable-SmtpDaneInbound -DomainName \"warpnet.co.uk\"\n\nResult ErrorData\n------ ---------\nSuccess<\/code><\/pre>\n\n\n\n- \n
- Verify that both DNSSEC and SMTP DANE records (TLSA) are correctly configured by DANE Validation (including DNSSEC) <\/em>test in the Remote Connectivity Analyzer<\/a> from Microsoft for the domain as shown in the screenshot.<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/warpnet.nl\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-18.41.25-1024x158.png\")
<\/figure>\n\n\n\n
- Verify that both DNSSEC and SMTP DANE records (TLSA) are correctly configured by DANE Validation (including DNSSEC) <\/em>test in the Remote Connectivity Analyzer<\/a> from Microsoft for the domain as shown in the screenshot.<\/li>\n<\/ul>\n\n\n\n
- Verify that everything is working correctly by running the DNSSEC Validation <\/em>test in the Remote Connectivity Analyzer<\/a> from Microsoft for the domain as shown in the screenshot below.<\/li>\n<\/ul>\n\n\n\n
- Verify that the newly configured incoming mail server is working correctly by using the Inbound SMTP Email Test<\/a> from Microsoft. Unfolding the test steps reveals whether the new Mail Exchanger on the domain is mx.microsoft<\/strong> works correctly as shown in the screenshot below.<\/li>\n<\/ul>\n\n\n\n
- To use SMTP DANE with DNSSEC, DNSSEC must first be enabled. This can be done using the Enable-DnssecForVerifiedDomain cmdlet<\/a>. For warpnet.co.uk<\/em> the command looks like this:<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/warpnet.nl\/wp-content\/uploads\/2024\/11\/Screenshot-2024-11-02-at-18.43.16-1024x574.png\")
<\/figure>","protected":false},"excerpt":{"rendered":"