Microsoft 365 Message Center Archive

MC711018 - Microsoft Exchange Online: Support for inbound SMTP DANE with DNSSEC

Message ID

MC711018

View in Message Center

Service

Exchange Online

Last Updated

Apr 15, 2024

Published Jan 29, 2024

Tag

Updated message
New feature
User impact
Admin impact

Roadmap ID

63213

View in M365 Roadmap

Summary

Microsoft Exchange Online will support inbound SMTP DANE with DNSSEC starting from lMay 2024. Inbound SMTP DANE with DNSSEC will be off by default, and if you do not want to enable the feature, you do not need to do anything. If you want to enable the feature, follow the documentation using Exchange PowerShell. Review your domain configuration internally to ensure you won't be impacted by any of the limitations.

More information

Updated April 15, 2024: We have updated the timing of the Preview below. Thank you for your patience.

We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.

This message is associated with Microsoft 365 Roadmap ID 63213.

When this will happen:

Public Preview: We will begin rolling out in May 2024.

Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024.

How this will affect your organization:

Inbound SMTP DANE with DNSSEC will be off by default. If you do not want to enable the feature, you do not need to do anything.

If you want to enable the feature, please follow the documentation using Exchange PowerShell. When the feature is released, the documentation will be in the How can Exchange Online customers use SMTP DANE inbound section of How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications | Microsoft Learn. By the end of 2024, we will release a new experience for enabling DNSSEC and SMTP DANE without using PowerShell.

What you need to do to prepare:

Review your domain configuration internally to ensure you won’t be impacted by any of the limitations below, and visit Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow - Microsoft Community Hub for more detailed information on limitations:

  • Not supported: Fully delegated domain, onmicrosoft.com domains, and domains purchased from Microsoft known as “viral” or self-service sign-up domains
  • Supported with risk: 3rd-party gateways, connectors, and integration with hybrid mail flow (ex. if you are using a connector to smarthost to a domain that you want to enable with DNSSEC, you need to update the smarthost name for that connector ex. contoso-com.mail.protection.outlook.com to match the new MX record that will be provided during DNSSEC enablement or, preferably, to match the tenant's onmicrosoft.com domain ex. tenant-name.onmicrosoft.com before enabling the feature.)