Microsoft is committed to providing world-class email security solutions and the support for the latest Internet standards in order to provide advanced email protection for our customers. Today we ar...
Updated Oct 16, 2023
Version 2.0
Blog Post
Also for on-premise exchange, inbound DANE does not require anything special in Exchange, you just need a DNSSEC-signed domain and published TLSA records matching your server certificate. New code in Exchange is only needed for verifying DANE *outbound*.
That said, inbound DANE requires monitoring, and a well thought out, automated certificate rollover process that does not periodically invalidate the published TLSA records. So while Exchange does not need new code, the "orchestration" of certificates and matching TLSA records can benefit from robust automation, and built-in monitoring. Just "fire-and-forget" is not a good deployment model for DANE, planning and monitoring are key. If appropriate orchestration tools were added to on-premise Exchange some day, that'd be super.