Update 7/17/2024: the Public Preview for Inbound SMTP DANE with DNSSEC is currently rolling out. General Availability has been delayed to October 2024.
As previously announced, in July 2024 Microsoft is releasing a Public Preview for Inbound SMTP DANE with DNSSEC for Exchange Online mail flow. This will complete Exchange Online’s support for SMTP DANE with DNSSEC, as outbound SMTP DANE with DNSSEC has been supported since March 2022.
SMTP DANE is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
To support inbound SMTP DANE with DNSSEC, we built new DNS infrastructure for Exchange Online that will be secured by DNSSEC. This new architecture will impact legacy Exchange Online DNS infrastructure, specifically the domain mail.protection.outlook.com which is the domain that hosts current customers’ A records for mail flow to Exchange Online. Because DNS is a backend service that is often considered ‘set-it and forget-it’, we wanted to bring this to the attention of the email community at large so everyone has advanced notice prior to the Public Preview in July 2024. If you are an email admin, or a 3rd party organization that resells Microsoft 365 or integrates with Exchange Online for mail flow purposes, you should review this post to understand if you have any action items to take before the feature releases.
How will we release SMTP DANE with DNSSEC?
The initial support for inbound SMTP DANE with DNSSEC will come in 2 waves:
This change spans the provisioning of Mail Exchange (MX) records and Address (A) records for mail flow of Accepted Domains known as vanity domains, and specifically the zones where Microsoft will provision future A records. The key change is the introduction of the subdomains <subdomain>.mx.microsoft, which will replace mail.protection.outlook.com for hosting the A records of future Accepted Domains. We must use many subdomains instead of 1 jumbo domain due to scale limitations with DNSSEC.
Current State: Today, when an Accepted Domain is created, Exchange Online provisions an A record in mail.protection.outlook.com and the admin configures an MX record that references that A record. For these records, nothing changes. For example, if an admin adds Contoso.com as an Accepted Domain before October 2024, the Microsoft 365 Admin Center will show this:
The Change: Starting October 2024, a portion of new A records will be provisioned in one of many subdomains under the domain mx.microsoft. This will be a gradual increase between October and December 2024, with the goal of 100% of Accepted Domains being provisioned in the subdomains under mx.microsoft by December 2024. The tenant admin must configure an MX record that references the correct A record in its specific subdomain. This is the only change to the admin experience when manually configuring Accepted Domains the first time. For Accepted Domains created before October 2024, Exchange PowerShell cmdlets will be released as part of our Inbound SMTP DANE with DNSSEC Public Preview and would be used for migrating DNS records into the DNSSEC-secured domains. A DNSSEC-enablement wizard will be released by end of CY24 to ease the experience.
Continuing with the Contoso.com example, if the Contoso.com admin adds Fabrikam.com as an Accepted Domain (not as the onmicrosoft.com domain for the tenant) after October 2024, the Microsoft 365 admin center could show this:
As the ‘1j2b’ portion of the domain name is randomly assigned, this change introduces some ambiguity with auto-provisioning of MX records and will pose a problem for those who use automation to auto-provision MX records that reference A records in mail.protection.outlook.com. Resellers and customers using automation to create MX DNS records cannot rely on A records always being provisioned in mail.protection.outlook.com starting October 2024.
Doing this will layer DNSSEC into mail flow for the service, and we are giving away DNSSEC due to the significant security benefits. While mail.protection.outlook.com will remain operational indefinitely, we will stop provisioning future Accepted Domain A records to this domain and it will not receive any new DNS enhancements such as SMTP DANE with DNSSEC. Starting in July 2024 as part of the Public Preview, customers will be able to use the Microsoft 365 Admin Center and/or Exchange PowerShell to migrate their mail flow DNS records out of mail.protection.outlook.com and into the new subdomains under mx.microsoft in order to enable DNSSEC for a particular Accepted Domain then enable SMTP DANE on that DNSSEC-enabled Accepted Domain.
What does this mean for you?
As a result of the changes outlined above, there may be some things you may need to consider:
Limitations
As we get closer to supporting Inbound SMTP DANE with DNSSEC, we have identified some scenarios that will not initially be supported:
Feedback
We value your feedback and want to hear from you if you have concerns or dependencies that we may have not addressed. Please comment on this post if you have any feedback or concerns and we will reach out to you directly as needed.
We understand that change can be difficult, but in this case, it's required to ensure the continued smooth operation of mail flow in Exchange Online. We appreciate your cooperation and support as we work to enhance the security and reliability of email delivery for Microsoft 365.
Microsoft 365 Messaging Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.