Back in September of 2020 Microsoft announced that it was experimenting with the addition of SMTP MTA Strict Transport Security (MTA-STS) support to Exchange Online. This was done in a bid to ensure the email communication and security of their Office 365 customers.
In a recent statement by the company the Exchange Online Transport Team said:
“We have been validating our implementation and are now pleased to announce support for MTA-STS for all outgoing messages from Exchange Online.”
While it may not sound like a terribly exciting change, it truly is a big step forward. Now that the feature is in place in Office 365, any emails sent by users via Exchange Online will be delivered using connections with both authentication and encryption protocols. This is for protecting them from interception and attack attempts and includes both man-in-the-middle and downgrade attacks.
Again, per the Exchange Online Transport Team:
“Downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker’s server.
MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission.”
In addition to the feature addition Microsoft has also provided guidance on how to adopt MTA-STS. This includes where to host the policy file on your domain’s web infrastructure.
Additionally, the Exchange Team announced that they’re in the process of rolling out SANE for SMPT (with DNSSEC support). That provides better protection for SMTP connections than MTA-STS does.
The company’s plan is to proceed slowly and in two phases. Phase I is to be completed by March 2022 and phase II is to be completed by year end 2022. The team stressed that admins would be able to use both standards on the same domain at the same time, allowing them to account for senders who may exclusively use one or the other.
Great news indeed. Kudos to Microsoft for their continuing efforts.
