Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online

johnjonestag 

- Regarding a sample domain to test, we don't provide sample domains for our features. You'll have to set up a cheap test domain with a DNS Provider, which can be purchased for a couple dollars and last a year.

- The RCA shows the correct output for broadcom.com so maybe we need to improve the interpretability. It shows DNSSEC passing for broadcom.com and DANE not succeeding (emphasis on not succeeding, I did not say DANE failed) because there is no TLSA record for broadcom.com. The TLSA record is required for SMTP DANE validation to succeed. If the TLSA is not present, then we say the SMTP DANE validation didn't succeed and show the yellow warnings you are seeing.  

- It's healthy as we've been testing with it for several months. Feel free to use dig to review SOA/NS configuration or DNSViz for the DNSSEC info. Can I ask why you are concerned about this?

DMStork thanks 🙂 I'm pushing through a doc update ASAP. And your explanation regarding us using Outbound SMTP DANE with DNSSEC in an opportunistic manner is spot on. I will make this clearer in our public documentation.

Satyajit321 no typo's and DMStork explained it well. We are using SMTP DANE with DNSSEC opportunistically on the outbound path because most destinations don't support SMTP DANE (yet!). Outbound Mandatory SMTP DANE will allow Exchange Online customers to make passing SMTP DANE with DNSSEC validations mandatory for the email to successfully send. So, if the SMTP DANE or DNSSEC validation fails, we will not try to fallback to a secondary, unsecured MX record for that same domain, which does happen with current behavior. I'll clean up the documentation so it's clearer.