Blog Post

Exchange Team Blog
6 MIN READ

Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jan 28, 2026
EDIT 2/4/2026: We’ve been notified that some email providers may distrust the DigiCert G1 root on April 15, which could result in broad ecosystem‑wide email impact. To ensure Exchange Online can rota...
Updated Feb 10, 2026
Version 4.0
announcements
exchange online
on premises
security
transport
Pankaj_Messaging_Specialist's avatar
Pankaj_Messaging_Specialist
Brass Contributor
Feb 11, 2026

Arindam_Thokder​ Nino_Bilic​ 

1. I am still trying to figure it out what do you mean by connecting directly to exchange online and only those are impacted, like every machine is somewhere connecting to exchange online to send\receive emails i.e. Outlook, windows mail, MacOS, apple email and exchange online endpoints, i.e. smtp.office365.com, outlook.office365.com, imap and pop.

 

So these are not impacted because Microsoft is taking care, correct?

 

2. if exchange online endpoint being used by third party application (vendor) then they need to update\trust DigiCert Root certificate, right?

 

3. we have Linux OS\system but I think they are using SMTP Relay(Exchange on-premise) to send an email, which I believe already covered as SMTP relay compliant with DigiCert Root Cert, correct?

 

4. we do not see any GPO and separate server to host custom certificate then it means CTL is enabled at our org, I am asking because my AD team is not able to confirm if CTL is enabled or disabled at the org. ?

 

5. Microsoft confirmed that servers\clients directly connecting to Exchange online would impact if cert not trust, so that means local machine\servers not in the SMTP mail flow would not impact and nothing related to this certificate, correct?

  • Arindam_Thokder's avatar
    Arindam_Thokder
    Icon for Microsoft rankMicrosoft
    Feb 11, 2026

    Pankaj_Messaging_Specialist​
    1. Only devices/applications/servers that connect to Exchange Online over SMTP with TLS and send/receive email can be impacted. Systems using smtp.office365.com typically use SMTP. If they use SMTP with TLS and do not trust the required certificate, they will be affected. As far as I know, Outlook, macOS Mail, and Apple Mail generally do not connect to Exchange Online over SMTP for mailbox access. But if these clients are configured to send email directly to Exchange online by connecting to an SMTP endpoint like smtp.office365.com, then of Course they could be impacted.  

    2. I already answered this to you earlier. Yes, if third party application connects to Exchange Online over SMTP (irrespective of any endpoint), they need to  update\trust DigiCert Root certificate.

    3. This was also answered to you earlier, and I hope it is clear by now that 3rd party not connecting to Exchange online directly (and relaying though Exchange on premises) are not impacted by this. 

    4. This is outside my area of expertise.

    5. Again, I hope it is clear by now that local machines not connecting to Exchange online over SMTP is not impacted.  

    • Pankaj_Messaging_Specialist's avatar
      Pankaj_Messaging_Specialist
      Brass Contributor
      Feb 11, 2026

      Thanks Arindam_Thokder​  I have one the vendor application they are using Graph API to send emails and if they are impacted by this change or not. 

      also, they tried to upload the DigiCert Root G2 certificate but after installing cert Graph API failing, any insight.