MC835648 - Announcing IPv6 Enablement for Accepted Domains

Updated October 8, 2024: We have updated the content. Thank you for your patience.

Starting October 16, 2024, we're gradually enabling IPv6 for all customer Accepted Domains that use Exchange Online for inbound mail. Microsoft is modernizing Exchange Online so our customers can easily meet their local regulations as well as benefit from the enhanced security and performance offered by IPv6.

More information on IPv6 support for Microsoft 365 services can be found at: IPv6 support in Microsoft 365 services

When this will happen:

October 16, 2024 (previously October 1, 2024)

How this will affect your organization:

After we enable IPv6 for your Accepted Domains, when someone tries to send an email to one of your users and queries the MX record for the domain, they will receive both IPv4 and IPv6 addresses (AAAA records) in response to their MX record query.

What you need to do to prepare:

To take advantage of IPv6 connectivity, please make sure that you and your partner's update network allow-lists to allow Exchange Online IPv6 endpoints in the same way it allow-lists IPv4.

The Exchange Online IPv6 endpoints can be found here: Microsoft 365 URLs and IP address ranges.

To opt a domain out of inbound IPv6 so traffic flowing to the domain remains IPv4-only, please use Disable-IPv6ForAcceptedDomain -Domain for each domain you want to opt out of IPv6 (Disable-IPv6ForAcceptedDomain (ExchangePowerShell) | Microsoft Learn).

IPv6 enablement may impact the source IP type used by Senders when connecting to Exchange Online, as the source and destination IP versions must match. For any IP Address-based Inbound connectors in Exchange Online that are referencing IPv4 addresses, you need to either:

• Keep the sending server as IPv4.
  • Coordinate with the Sender so the Sender keeps connecting to your domain(s) via IPv4 or Opt your domain(s) out of IPv6
• Change the IP based connector to certificate domain based connector.
  • This applies to both OnPremises type (From: Your organization's email server, To: Office 365) and Partner Type connectors (From: Partner organization, To: Office 365).

Update: If you are using any Exchange Transport Rules or Data Loss Prevention policies which rely on the SenderIPRanges predicate, you need to opt out all your domains from IPv6.

You can manage IPv6 for your Exchange Online Accepted Domains using the commands Enable-IPv6ForAcceptedDomain or Disable-IPv6ForAcceptedDomain.

Currently, you can check the status of your Accepted Domains with the Get-IPv6StatusForAcceptedDomain command. While some customers have already enabled IPv6, most will see it as disabled until October 16th.

After October 16, once IPv6 is enabled for your tenant, if you haven't explicitly set the IPv6 status for your Accepted Domains, the Get-IPv6StatusForAcceptedDomain command will reflect the new default behavior (enabled).

IMPORTANT: To ensure your preferred settings are applied, please use the Enable-IPv6ForAcceptedDomain or Disable-IPv6ForAcceptedDomain commands before October 16th, after which IPv6 will be enabled by default if you haven't explicitly set it.

If you have enabled DNSSEC for mail flow, you may have issues executing the Get-IPv6StatusForAcceptedDomain cmdlet for the DNSSEC-enabled domain. We are rolling out the fix now. Please ensure to run Disable-IPv6ForAcceptedDomain to opt out of the IPv6 enablement if you need to opt a DNSSEC-enabled domain out of the IPv6 by default rollout. The IPv6 rollout will not affect DNSSEC-enabled domains until after Nov 18th.