MicrosoftMicrosoft
MicrosoftHi Team! In the article is mentioned "Email Security Roadmap": "May 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain". Is that a typo and you meant "Inbound"?
As far as I understood Outbound SMTP DANE is already enabled for tenants since past 2022?
Releasing: Outbound SMTP DANE with DNSSEC | Microsoft Community Hub
MicrosoftUserA No typo's, but some clarity is needed.
We support opportunistic outbound SMTP DANE with DNSSEC by default, this means that if there are no DANE records on the destination's side then we still send the email with opportunistic TLS. This is a much more permissive version of DANE to allow for smoother adoption and can be seen in the diagram at the step "One or more TLSA Record is returned": https://learn.microsoft.com/en-us/purview/how-smtp-dane-works?view=o365-worldwide#exchange-online-mail-flow-with-smtp-dane
With Mandatory outbound SMTP DANE with DNSSEC, we will not send the email if a destination doesn't have a DANE record. This is a much stricter version of DANE, since only a couple million domains support DANE world-wide. So, it will only work for Remote Domains, with admins controlling the configuration per remote domain.
