The Domain Name System (DNS) protocol is used by clients to find mail servers over the internet. DNS is unencrypted and unauthenticated by default, making it vulnerable to spoofing, tampering, and adversary‑in‑the‑middle attacks. As threat actors increasingly target the foundational layers of email delivery, modern DNS security protocols have become essential to protecting organizations.
To address these gaps, Exchange Online has invested heavily in modern, standards‑based DNS security – including DNSSEC, SMTP DANE, and MTA‑STS – to ensure mail is delivered over validated, encrypted, and tamper‑resistant channels by default wherever possible.
In this post, we will provide updates on these efforts and discuss upcoming plans to keep raising the email security bar.
DNSSEC Enablement Wizard for Exchange Online
To simplify adoption of SMTP DANE with DNSSEC, in Q3 of calendar year 2026 we’re releasing a DNSSEC Enablement Wizard in the Exchange Admin Center. This guided workflow:
- Validates DNS prerequisites
- Provisions the customer-specific DNSSEC‑capable mail flow endpoint
- Reduces configuration risk during MX transition
- Prepares the domain for SMTP DANE adoption
For customers who wish to fully enforce SMTP DANE with DNSSEC, PowerShell will remain the option for enabling SMTP DANE once DNSSEC-enablement is complete as per Set up inbound SMTP DANE with DNSSEC.
Control Outbound SMTP DANE & MTA‑STS Validation on Connectors
With rollout started in late Feb 2026, we introduced a new capability that gives admins explicit control over SMTP DANE and MTA‑STS validation behavior for messages sent over outbound connectors.
The MtaStsMode and SmtpDaneMode parameters on New/Set/Get-OutboundConnector lets organizations choose how strictly Exchange Online enforces these security protocols on a per‑connector basis:
- Opportunistic (default): Exchange Online attempts SMTP DANE and/or MTA‑STS validation but still delivers mail if the destination doesn’t support them.
- None: which applies to both MTA-STS and SMTP DANE and disables the validation entirely, therefore reducing the security of emails sent over that connector by removing MTA-STS and/or SMTP DANE protections designed to prevent downgrade attacks and spoofed MX redirection.
- Mandatory (SMTP DANE only): Enforces full SMTP DANE with DNSSEC validation and queues (then rejects) mail if validation fails or destination domain doesn’t support SMTP DANE with DNSSEC by end of queuing period.
This outbound connector capability makes it easier for customers to adopt stronger DNS‑based protections incrementally while maintaining compatibility with partner ecosystems.
What happened to auto-provisioning of DNSSEC-enabled mail flow records (A/AAA)?
Due to internal infrastructure projects, we had to delay this DNS provisioning change until second half of calendar year 2026. Gradually switching provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft is still a priority for us, but making infrastructure changes is complex. Significant challenges have required us to re-order the work necessary to complete this change while maintaining service health and reliability.
Original announcement: Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow | Microsoft Community Hub.
Are there any planned updates to mail.protection.outlook.com?
Currently, there are no plans to enable DNSSEC on the mail flow domain mail.protection.outlook.com. Customers who require DNSSEC for inbound mail will continue to need to transition the DNSSEC-capable dedicated subdomains within mx.microsoft. As MX changes can be operationally sensitive, we built the DNSSEC Enablement Wizard to ease the friction of this change.
In early third quarter of 2026, mail.protection.outlook.com will receive TCP and EDNS support. This modernization improves reliability and enables future security enhancements at cloud scale.
Raising the Security Bar – Together
Across these investments, our goal is simple: make strong email security the default, without introducing additional operational complexity or overhead. DNSSEC, SMTP DANE, and MTA‑STS directly address long‑standing weaknesses in the global email ecosystem, and Exchange Online is committed to leading the industry in deploying these foundational protections at scale.
By modernizing our DNS infrastructure, providing safer tooling for domain transitions, and giving customers finer control over protocol enforcement, we’re continuing to raise the security bar for all Exchange Online customers—and making it easier than ever to adopt modern DNS security.
Microsoft 365 Messaging Team
