Announcing SMTP DANE & MTA STS Connector Modes in Exchange Online

Platinum Contributor

Mar 10, 2026

We’re excited to announce the release of SMTP DANE and MTA‑STS connector modes in Exchange Online. This update gives administrators explicit control over how strictly Exchange Online enforces modern mail flow security standards when sending email over outbound connectors.

This capability builds on our offerings for SMTP DANE with DNSSEC and MTA‑STS and addresses customer feedback around balancing security posture, reliability, and partner interoperability on critical mail paths.

What’s new

Exchange Online outbound connectors now support configurable SMTP DANE and MTA‑STS modes, allowing customers to choose the validation behavior that best fits each mail flow scenario.

Admins can now configure:

Opportunistic (default): Exchange Online attempts SMTP DANE and MTA‑STS validation when available but continues delivery if the destination does not support them.
Mandatory (SMTP DANE only): Enforces full SMTP DANE with DNSSEC validation. Mail is queued if validation fails or the destination does not support SMTP DANE.
None: Disables SMTP DANE and/or MTA‑STS validation for the connector, reducing security in favor of compatibility for specific partner scenarios.

These settings apply per connector, enabling granular control without impacting the tenant’s broader outbound mail flow behavior.

Why this matters

SMTP DANE with DNSSEC and MTA‑STS significantly raise the bar for transport‑level email security by protecting against downgrade attacks and malicious MX redirection. However, customers have told us that one‑size‑fits‑all enforcement can be challenging when sending mail to partners with inconsistent or misconfigured implementations.

Connector‑level modes allow customers to:

Enforce strict security where partners are fully compliant
Maintain reliable delivery for business‑critical partners still modernizing
Gradually increase security posture over time, without operational disruption