Microsoft is committed to providing world-class email security solutions and the support for the latest Internet standards in order to provide advanced email protection for our customers. Today we ar...
Updated Oct 16, 2023
Version 2.0
Blog Post
My take on the situation is that the wildcard certificate is intentionally (not by accident) compatible with PKIX validation and so also inbound MTA-STS. Compatibility with a wildcard certificate is surely why the MX host names use a single-label prefix like "example-com" rather than a more natural multi-label prefix like "example.com".
The DNS subject names in the certificate are:
mail.protection.outlook.com *.mail.eo.outlook.com *.mail.protection.outlook.com mail.messaging.microsoft.com outlook.com *.olc.protection.outlook.com *.pamx1.hotmail.com
Consequently, if a hosted domain wishes to publish an MTA-STS policy, it can already do so. For example, the policy for "outlook.com" (with MX host outlook-com.olc.protection.outlook.com) is:
version: STSv1 mode: testing mx: *.olc.protection.outlook.com max_age: 604800