Feedback by UserVoice

Andy Marchand

My feedback

  1. 1,730 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Andy Marchand commented  · 

    Did Microsoft ever answer or comment on this issue?

    @Microsoft: The O365 Servers should all be secured by DNSSEC and DANE!

    I did all I can for my domain, but checking on internet.nl throws the following feedback:

    Email address domain
    Passed:
    DNSSEC existence

    Verdict:
    Your email address domain is DNSSEC signed.
    Test explanation:
    We check if your domain is DNSSEC signed. With a DNSSEC signature senders who validate domain signatures can verify the authenticity of the DNS reply that contains your mail server domains (MX). This prevents an attacker from manipulating the DNS answer in order to redirect mails sent to you to the attacker's mailserver domain.

    If a domain redirects to another domain via CNAME, then we also check if the CNAME domain is signed (which is conformant with the DNSSEC standard). If the CNAME domain is not signed, the result of this subtest will be negative.
    Note: the validity of the signature is not part of this subtest, but part of the next subtest.

    Technical details:
    Email address domain
    Registrar
    [**mydomain**].ch
    None
    Passed:
    DNSSEC validity

    Verdict:
    Your email address domain is secure, because its DNSSEC signature is valid.
    Test explanation:
    We check if your domain is signed with a valid signature making it 'secure'.

    If a domain redirects to another signed domain via CNAME, then we also check if the signature of the CNAME domain is valid (which is conformant with the DNSSEC standard). If the signature of the CNAME domain is not valid, the result of this subtest will be negative.

    Technical details:
    Email address domain
    Status
    [**mydomain**].ch
    secure

    Mail server domain(s)
    Failed:
    DNSSEC existence

    Verdict:
    At least one of your mail server domains is insecure, because it is not DNSSEC signed.
    Test explanation:
    We check if the domains of your mail servers (MX) are DNSSEC signed. With a DNSSEC signature senders who validate domain signatures can verify the authenticity of the DNS reply containing the IP addresses and DANE records of your mailserver(s). This prevents an attacker from manipulating the DNS answer in order to redirect mails sent to you to an IP address controlled by the attacker or to eavesdrop on the secured mail server connection.

    If a domain redirects to another domain via CNAME, then we also check if the CNAME domain is signed (which is conformant with the DNSSEC standard). If the CNAME domain is not signed, the result of this subtest will be negative.
    Note: the validity of the signature is not part of this subtest, but part of the next subtest.

    Technical details:
    Domain of mail server (MX)
    DNSSEC existent
    [**mydomain**]-ch.mail.protection.outlook.com.
    no
    Not testable:
    DNSSEC validity

    Verdict:
    This test did not run, because either a parent test that this test depends on gave a negative result ('fail') or not enough information was available to run this test.
    Test explanation:
    We check if the domains of your receiving mail servers (MX) are signed with a valid signature making them 'secure'.

    If a domain redirects to another signed domain via CNAME, then we also check if the signature of the CNAME domain is valid (which is conformant with the DNSSEC standard). If the signature of the CNAME domain is not valid, the result of this subtest will be negative.

    Technical details:
    Domain of mail server (MX)
    Status
    [**mydomain**]-ch.mail.protection.outlook.com.
    insecure

    Andy Marchand commented  · 

    Are there any news on this subject?

    I do really have troubles with missing DNSSEC on .info domains, which are no longer accepted as e-mail senders by a growing number of important hosts like Gmail...

    Andy Marchand supported this idea  · 

Feedback and Knowledge Base