Enable DANE on Microsoft 365
Configure DANE TLSA records for Exchange Online.
Microsoft 365 supports DANE for inbound email, providing cryptographic proof that senders are connecting to genuine Exchange Online servers. Enable it via PowerShell to get a new DANE-enabled MX record on the .mx.microsoft domain.
Time required: 30-60 minutes (plus DNS propagation)
Prerequisites: DNSSEC-enabled domain, Microsoft 365 admin access, PowerShell
DNSSEC Required
DANE requires DNSSEC to be enabled on your domain. Without DNSSEC, DANE TLSA records have no security value and will be ignored by receiving servers. Set up DNSSEC first.
How Microsoft 365 DANE Works
When you enable DANE for your Microsoft 365 tenant, Microsoft provides you with a new MX record pointing to their DANE-enabled infrastructure at *.mx.microsoft. When a sending server delivers email:
- It looks up your new MX record →
yourdomain-com.mx.microsoft - It queries for TLSA records at
_25._tcp.yourdomain-com.mx.microsoft - Microsoft publishes TLSA records for their DANE-enabled mail servers
- The sender verifies the TLS certificate matches the TLSA record
Step 1: Enable DNSSEC
DANE requires DNSSEC to be enabled on your domain first. See our DNSSEC setup guide.
Step 2: Install PowerShell
You'll need PowerShell to enable DANE on Microsoft 365. On Windows, PowerShell is already installed. On macOS, install it via Homebrew:
# macOS - Install PowerShell via Homebrew brew install powershell/tap/powershell # Launch PowerShell pwsh
Step 3: Install Exchange Online Management Module
Install the Exchange Online PowerShell module to manage your tenant:
# Install the Exchange Online Management module Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser # If prompted to install from an untrusted repository, type 'Y' to confirm
Step 4: Connect to Exchange Online
Connect to your Microsoft 365 tenant with an admin account:
# Import the module Import-Module ExchangeOnlineManagement # Connect to Exchange Online (a browser window will open for authentication) Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
Step 5: Enable DANE for Your Domain
Enable DANE for inbound mail on your accepted domain:
# Check current DANE status for your domain Get-AcceptedDomain -Identity yourdomain.com | Format-List Name, DomainType, *Dane* # Enable DANE for your domain Enable-DnssecForVerifiedDomain -DomainName yourdomain.com # Verify it's enabled Get-AcceptedDomain -Identity yourdomain.com | Format-List Name, DomainType, *Dane*
Step 6: Update Your MX Record
After enabling DANE, Microsoft provides a new MX record. Update your DNS to use the new .mx.microsoft endpoint:
# Your new MX record will be something like: # Type: MX # Host: @ # Value: yourdomain-com.mx.microsoft # Priority: 0 # Verify your new MX record is working dig MX yourdomain.com +short # Should return: # 0 yourdomain-com.mx.microsoft.
Note: The .microsoft TLD is a brand TLD owned by Microsoft. The new MX record format enables DANE with TLSA records published by Microsoft for their mail infrastructure.
Step 7: Verify DANE is Working
After DNS propagation (up to 48 hours), verify your DANE configuration:
# Check TLSA records for your new MX dig TLSA _25._tcp.yourdomain-com.mx.microsoft +short # You should see TLSA records like: # 3 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
You can also use online tools to verify:
DANE and MTA-STS Together
DANE and MTA-STS serve similar purposes but work differently:
| Feature | DANE | MTA-STS |
|---|---|---|
| Requires | DNSSEC | HTTPS hosting |
| Cert validation | TLSA record | Standard CA |
| Adoption | Growing | Wider support |
For maximum security, use both. Senders that support DANE will use it; others will fall back to MTA-STS.
Troubleshooting
TLSA records not found
Ensure your DNS provider supports TLSA records and DNSSEC is properly configured.
DNSSEC validation failures
Check that DS records are correctly configured at your registrar.
PowerShell command fails
Ensure you have the Exchange Online Management module installed and have admin permissions.