Message Center
Published Jul 25, 2024
Updated October 8, 2024: We have updated the content. Thank you for your patience.
Starting October 1st,16, 2024, we're gradually enabling IPv6 for all customer Accepted Domains that use Exchange Online for inbound mail. Microsoft is modernizing Exchange Online so our customers can easily meet their local regulations as well as benefit from the enhanced security and performance offered by IPv6.
More information on IPv6 support for Microsoft 365 services can be found at: IPv6 support in Microsoft 365 services
When this will happen:
October 16, 2024 (previously October 1, 20242024)
How this will affect your organization:
After we enable IPv6 for your Accepted Domains, when someone tries to send an email to one of your users and queries the MX record for the domain, they will receive both IPv4 and IPv6 addresses (AAAA records) in response to their MX record query.
What you need to do to prepare:
To take advantage of IPv6 connectivity, please make sure that you and your partner's update network allow-lists to allow Exchange Online IPv6 endpoints in the same way it allow-lists IPv4.
The Exchange Online IPv6 endpoints can be found here: Microsoft 365 URLs and IP address rangesMicrosoft 365 URLs and IP address ranges.
We understand customers have unique situationsTo opt a domain out of inbound IPv6 so traffic flowing to the domain remains IPv4-only, please use Disable-IPv6ForAcceptedDomain -Domain for each domain you want to opt out of IPv6 (Disable-IPv6ForAcceptedDomain (ExchangePowerShell) | Microsoft Learn).
IPv6 enablement may impact the source IP type used by Senders when connecting to Exchange Online, as the source and may require their own timeline for IPv6 enablement.destination IP versions must match. For customers whoany IP Address-based Inbound connectors in Exchange Online that are referencing IPv4 addresses, you need to remain IPv4-Only, we will update this post in Septembereither:
Update: If you are using any Exchange Transport Rules or Data Loss Prevention policies which rely on the SenderIPRanges predicate, you need to opt out all your domains from IPv6.
You can manage IPv6 for your Exchange Online Accepted Domains using the commands Enable-IPv6ForAcceptedDomain or Disable-IPv6ForAcceptedDomain.
Currently, you can check the status of your Accepted Domains with the Get-IPv6StatusForAcceptedDomain command. While some customers have already enabled IPv6, most will see it as disabled until October 16th.
After October 16, once IPv6 is enabled for your tenant, if you haven't explicitly set the IPv6 status for your Accepted Domains.Domains, the Get-IPv6StatusForAcceptedDomain command will reflect the new default behavior (enabled).
With this change,IMPORTANT: To ensure your preferred settings are applied, please note that traffic moved touse the Enable-IPv6ForAcceptedDomain or Disable-IPv6ForAcceptedDomain commands before October 16th, after which IPv6 will have more stringent authentication requirements, as described here Support for anonymous inbound email over IPv6be enabled by default if you haven't explicitly set it.
If you expect this changehave enabled DNSSEC for mail flow, you may have issues executing the Get-IPv6StatusForAcceptedDomain cmdlet for the DNSSEC-enabled domain. We are rolling out the fix now. Please ensure to cause any issues for your organization, please reachrun Disable-IPv6ForAcceptedDomain to opt out via your regular support channels.of the IPv6 enablement if you need to opt a DNSSEC-enabled domain out of the IPv6 by default rollout. The IPv6 rollout will not affect DNSSEC-enabled domains until after Nov 18th.