For the latest information on this subject, please see our newer blog post: Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online.
Inbound SMTP DANE with DNSSEC is no...
Updated Jan 28, 2025
Version 6.0
Blog Post
3 MIN READ
Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online
Hi The_Exchange_Team IanMcDonald
I have a few questions about enabling SMTP DANE
1. The implementation doc says: "To get the full security benefits of the feature, make sure you have DNSSEC enabled for your domain."
Does this mean that only the mx domain (contoso-com.1j2b-v1.mx.microsoft) is mandatory DNSSEC enabled and the root domain (contoso.com) is not mandatory?
2. Can SMTP DANE be activated if there is a hybrid mail flow?
3. What impact does the switch to SMTP DANE have on a hybrid mail flow? The Implementation Doc says:
"third party SHOULD NOT use the old MX record hostname -> contoso-com.mail.protection.outlook.com as Exchange Online will delete the A record approximately within 2 days (48 hours) after the feature enablement once we reach GA"
On the Send connector in an Exchange OnPrem environment, the SmartHostString for the "Outbound to Office 365" connector is set to "contoso-com.mail.protection.outlook.com". If the A record were deleted, the Send Connector would no longer work!
4. MTS-STS and SMTP DANE
what is the recomended mta-sts.txt value? #1 or #2
#1
version: STSv1
mode: enforce
mx: *.mail.protection.outlook.com
mx: contoso-com.1j2b-v1.mx.microsoft
max_age: 604800
#2
version: STSv1
mode: enforce
mx: contoso-com.1j2b-v1.mx.microsoft
max_age: 604800