Blog Post

Exchange Team Blog
3 MIN READ

Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jul 17, 2024
For the latest information on this subject, please see our newer blog post: Announcing General Availability of Inbound SMTP DANE with DNSSEC for Exchange Online. Inbound SMTP DANE with DNSSEC is no...
Updated Jan 28, 2025
Version 6.0
announcements
exchange online
security
transport
IanMcDonald's avatar
IanMcDonald
Icon for Microsoft rankMicrosoft
Aug 13, 2024

SteveTH Hitronics DMStork 

You must have secured your domain (contoso.com) with DNSSEC for SMTP DANE with DNSSEC to secure mail flow. DMStork is correct, if you don't have DNSSEC on your contoso.com, the DNSSEC validations will stop happening during downstream DNS resolution. "Plain" DNS will takeover, and since the chain of trust was broken during the contoso.com resolution, DNSSEC validations simply won't occur for the contoso-com.a-v1.mx.microsoft record. Mail will flow fine if you do this, but you won't get any of the benefits because 1) DNSSEC isn't in place and 2) SMTP DANE depends on DNSSEC and so SMTP DANE won't actually be in place either. No system will ask for the DANE record at this point in the resolution, because the DANE record would be considered unauthentic per DNSSEC so it wouldn't be usable for DANE validations per RFC.

 

SMTP DANE with DNSSEC can be used for hybrid but the comments are correct, you must update your smarthost property to either use 1) your tenantname.mail.protection.outlook.com hostname or 2) your new contoso-com.a-v1.mx.microsoft in the Send Connector or mail will stop work.

 

To reduce confusion, tenantname.mail.protection.outlook.com is the A record your tenantname.onmicrosoft.com MX record resolves to. We will never be doing anything to this A record so it is a safe configuration to make and was why we told customers in the documentation to use this A record value. HOWEVER, we discussed internally that this could confuse customers and (unnecessarily) result in them not adopting DNSSEC for domains referenced in their Send Connectors, and that it should be ok to just switch straight from contoso-com.mail.protection.outlook.com to contoso-com.a-v1.mx.microsoft

 

I will make some adjustments to documentation so this is more clearly spelled out that customers need to can use 1) your tenantname.mail.protection.outlook.com hostname or 2) your new contoso-com.a-v1.mx.microsoft in the Send Connector.

 

Is there anything my team is missing?