Letter to Microsoft DANE

Vergadering: Forum Standaardisatie 14 juni 2023

Agendapunt: 4E

Documentnummer: FS-20230614.4E

Download hier de PDF versie van dit vergaderstuk. Wij kunnen de digitale toegankelijkheid van het PDF bestand niet garanderen.

Rechten: CC0 publieke domein verklaring

Ministerie van Justitie en Veiligheid

> Retouradres Postbus 20301 2500 EH Den Haag

Microsoft Nederland B.V. 
Ms A. den Ouden

By email

Directie Informatievoorziening en Inkoop

Turfmarkt 147 
2511 DP Den Haag 
Postbus 20301 
2500 EH Den Haag
www.rijksoverheid.nl/Jenv

Contactpersoon
[gegevens verwijderd]

Projectnaam

Microsoft Exchange - DANE

Ons kenmerk [kenmerk verwijderd]

Bij beantwoording de datum en ons kenmerk vermelden. Wilt u slechts één zaak in uw brief behandelen.

Datum 22 mei 2023 
Onderwerp DANE and 1Pv6

Dear Ms A. den Ouden,

Thank you for your reply to our letter dated 2nd January 2023, concerning lack of support for DANE and IPv6 on Exchange Online.

DANE (secure mail transport)

We were very disappointed to read in your response letter that you expected further delay for implementing inbound DANE. Shortly after we received your letter, we read online that_the general availability of the inbound support for DNSSEC/DANE for SMTP to Exchange Online is now planned for March 2024. This means that your planned implementation date has been postponed for the fourth tirne, from July 2023 to March 2024. Note that you originally communicated year­ end 2021 as deadline.

With this follow-up letter we again stress the urgency we have for implementing DNSSC/DANE into the services that fall under our purchase agreement. For security reasons it is essential that these standards are implemented and run. We need to provide secure Information exchange to our citizens and at this point, the lack of these security standards prohibits us from doing so.

As we wrote in our previous letter, the lagging inbound DANE support also has the attention of the Dutch parliament and of our Minister of Digitalisation. In response to the recent Parliamentary question's, our Minister of Digitalisation replied as follows (translated in English).1

1 See: https://zoek.officielebekendmaklngen.nl/ah-tk-20222023-1167.html

"Also, many organizations rely on their external provider. For example, the government's most widely used c/oud mail provider provides default no IPv6 and no DANE. For the national government, Strategie Supplier Management Microsoft, Google Cloud and Amazon Web Services (SLM), part of the Ministry of Justice and Security, is responsible for communication with suppliers. The Ministry, .together with the Standardisation Forum, has been calling attention to the implementation of the standards since 2019. The implementation of these standards has repeatedly been pushed back in time by Microsoft. SLM and Forum Standaardisatie have again pointed out to Microsoft the obligation tor the Dutch Government to implement this standard and have asked Microsoft to guarantee the current ultimate implementation date of July 2023 no matter what.

It remains important that governments call their suppliers to account tor shortcomings and, if necessary, switch to a supplier that does support the standard properly."

In your letter you mention the following three points. Below each point you will find our response:

• to setup a meeting with Microsoft's engineering team to explore an approach we could take tor preview

We gladly take you up on this offer. Please be advised that the previous time, in 2021, we were offered a preview regarding outbound DNSSEC/DANE support we prepared accordingly and shared contact details of interested government organizations with Microsoft. However we did not receive a response and or invitation for follow-up from you, Microsoft. This was unfortunate and we hope this invitation will lead to a preview and more proactive communication.

• different security methods and mechanisms that are integrated in the M365 platform that also mitigate against the risks that DANE seeks to address

You, accurately, call these complimentary protections to DANE. This is what we are stressing and urgently requesting the support of DANE. Without DANE, these security methods are not complementary but 'solo' security methods with insufficient protection.

With regards to MTA-STS we would like to inform you that we are aware of its availability. However, this is a newer standard, with which there is little experience, especially beyond the prominent cloud mail providers. Moreover, MTA-STS is less secure than DANE because of 'trust on first use' and this is acknowledged in the MTA-STS specification. Both standards are not mutually exclusive. In short: despite MTA-STS, in our opinion DANE remains very relevant and at this point more prevalent to implement to meet our security requirements.

As stated before, fellow EU Member States such as the Czech Republic, Denmark, Estonia and Germany and the European Commission itself actively promote DANE.

• the Use of third-party solutions to achieve DANE compliance

We are aware of this option. However, as we already mentioned in our letter in March 2020, relay gateways add additional complexities and costs to our services. Considering security, complexity and cost concerns we believe native DNSSEC and DANE support_in Office 365 Exchange Online and other email platforms is crucial for us.

IPv6 (reachability)

We kindly thank you for the offer to assist us with a common process to assist governmental .entities that have not yet enabled IPv6. We will get in touch with our Microsoft NL contacts for further arrangements.

We trust to have, again, expressed our deep concerns and the importance of the implementation of DNSSEC/DANE. for SMTP to Exchange Online. We look forward to your response and welcome an invitation to discuss this further.

Emine Özyenici 

CEO Business Operations, also Chief Information Overseer \ Ministry of Justice and Security

Ron Roozendaal

Deputy Director General on Digitalisation, Ministry of the Interior and Kingdom Relations