DANE (DNS-based Authentication of Named Entities) is a protocol that provides an additional layer of security for email transmissions over the internet. It is designed to prevent potential man-in-the-middle attacks by leveraging DNSSEC (Domain Name System Security Extensions) to provide a secure method of sending emails.
DANE works by using the presence of a Transport Layer Security Authentication (TLSA) record in a domain's DNS record set to signal that a domain and its mail servers support DANE. If there's no TLSA record present, DNS resolution for mail flow works as usual without any DANE checks being attempted. The TLSA record securely signals TLS support and publishes the DANE policy for the domain, allowing sending mail servers to authenticate legitimate receiving mail servers using SMTP DANE.
Enable Outbound DANE in your Mimecast Secure Delivery Definitions
Outbound DANE can be enabled in your Secure Delivery Definitions, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Policies | Gateway Policies | Secure Delivery - Definitions.
- Update the Secure Delivery Definition Properties for your Secure Delivery Definition, by selecting the Enable DANE check-box, to allow enforcement of DANE.
- Click on Save and Exit.
DANE requires TLS to be enabled before it can be applied, and is checked on Save selection.
The Administration Console View in Message Center
New messages available in Message Center to help identify a DANE policy related delivery issue, comprising one 'Current Status' subject and three sub-reasons.
Current Status:
- Email delivery route must comply with DANE.
Information:
- Recipient MTA does not support STARTTLS.
Information:
- Recipient MTA certificate validation failure.
Information:
- No MX records match DANE policy.
An example is shown below:
End-User/Sender Notifications
Depending on configuration, an end-user could receive the below notification advising them that a sent message could be delayed due to a DANE policy-related issue.
An example is shown below:
Support for TLS Reports
In addition, Email Security Cloud Gateway provides automated daily TLS Reports (TLSRPT) in broad alignment with internet standard IETF RFC 8460. Both MAILTO and HTTPS transport methods are supported. Mimecast will send these reports to the recipient domain, even though that recipient may not be a Mimecast Email Security Cloud Gateway customer.
As defined by the RFC, these reports provide to the recipient domain information that the sending domain has gathered, such as the DANE policies, the number of emails sent via a DANE policy, the number of successful deliveries, and, importantly, the transmission failures along with a failure reason.abc
Recipient domains can then use this information for several purposes, including the detection of potential attacks as well as the analysis, review, and correction of unintended misconfiguration(s). Mimecast makes reasonable efforts to respect the RFCs identified above, and TLS Reports are provided on an 'as is' basis. No warranties or representations of any kind, express or implied, are given regarding the provided information's nature, accuracy, suitability, or otherwise. For more information, see our website.
Considerations
- DNSSEC: For DANE to work, the recipient needs to support DANE through valid DNSSEC and TLSA records.
- Configure TLSA DNS Entries: The TLS Authentication (TLSA) record is used to associate a server's X.509 certificate or public key value with the domain name that contains the record. TLSA records can only be trusted if DNSSEC is enabled on the recipient domain.
The DNS records for the recipient domain must be correctly configured for Mimecast to proceed with an SMTP DANE delivery; however, these configurations are beyond our control.
- If you encounter issues with DANE, check the DNSSEC configuration of the recipient first as DANE depends on it.
- If the recipient MTA does not support STARTTLS or there is a certificate validation failure, these could be potential issues with the DANE configuration.
- Use the Administration Console view in Message Center to help identify any DANE policy related delivery issues. New messages are available in Message Center, to help identify a DANE policy related delivery issue.
- If an enforced DANE delivery fails, Cloud Gateway will retry the delivery as per the customer retry configuration. After the configured retries, and assuming the delivery cannot be made then the email will bounce with the Mimecast Administration Console message. This will help the customer's IT team trace the email.
- Third-party DANE configuration verification tools are available, that can be utilized to assess the recipient domain.
Comments
Please sign in to leave a comment.