IPv6 updates for Exchange Online

Microsoft

Oct 30, 2024

Microsoft has recently introduced several key updates to IPv6 traffic for Exchange Online. These updates are designed to enhance security, improve performance, and ensure compliance with modern Internet standards. This blog provides a summary of these changes and their implications for customers.

Outbound IPv6 Email

Although IPv6 has been supported for outbound mail for some time, we wanted to officially announce that Microsoft now uses IPv6 for email sent from Exchange Online. Generally, our platform prioritizes IPv6 addresses for outbound email traffic (if the recipient server supports it), favoring IPv6 AAAA records over IPv4 A records.

For instance, when sending messages to LinkedIn.com, the hostnames below are returned as MX records. Each MX record includes a preference value (also known as priority), where lower numbers indicate higher priority. Email servers attempt to deliver messages to the MX host with the lowest preference value first. If multiple MX records share the same preference value, the sending servers may choose among them based on other factors, such as the availability of IPv6 or IPv4 addresses. In this example, we first try all the IPv6 addresses for hosts mail-a, mail-c, and mail-d (since they share a preference value of 10), followed by their IPv4 addresses, before moving on to mail.linkedin.com with a higher preference value of 20. Note that in certain scenarios, IPv4 may still be prioritized; in such cases, we would use IPv4 addresses initially, then IPv6, before resorting to the lower priority option.

Preference	Hostname	IP
10	mail-a.linkedin.com	108.174.0.215
10	mail-a.linkedin.com	2620:119:50c0:207::215
10	mail-c.linkedin.com	108.174.3.215
10	mail-c.linkedin.com	2620:109:c006:104::215
10	mail-d.linkedin.com	108.174.6.215
10	mail-d.linkedin.com	2620:109:c003:104::215
20	mail.linkedin.com	108.174.0.215

Inbound IPv6 email

Starting in mid-October, and rolling out over the next 3-6 months, we will begin gradually allocating IPv6 addresses to all customer Accepted Domains that use Exchange Online for inbound mail, including *.onmicrosoft.com domains. Customers will receive Message Center posts notifying them of the change before it is enabled in their tenant. Once IPv6 is enabled, email senders delivering messages into Exchange Online and querying the MX record hostnames for customer domains will now receive both IPv4 and IPv6 addresses (A and AAAA records). This modernization will help our customers comply with regulations and benefit from the enhanced security and performance offered by IPv6. For most customers, this will be the new default behavior.

In some cases, activating IPv6 will affect the source IP type (IPv4 vs IPv6) used by senders connecting to Exchange Online, as the IP versions must match. Since RFC 5321 doesn't favor one IP type over another, some senders might switch from IPv4 to IPv6 during this rollout. Note that senders should have a valid reverse DNS lookup (PTR) record and either SPF or DKIM verification are required for seamless mail flow over IPv6

For a small percentage of our customers, IPv6 will not be activated, and they will be automatically opted out of the IPv6 rollout for their Accepted Domain(s). Microsoft is opting out these customers because they have dependencies on IPv4 and introducing IPv6 for these customers might affect their mail flow. Proper configuration when enabling IPv6-readiness is essential, as misconfiguration of specific features may disrupt mail flow. If our telemetry detects any of the specified configurations listed below in a customer tenant, the tenant will be automatically excluded from IPv6 enablement, and the admin will be notified via a Message Center post of their opt-out status. To use IPv6, admins will need to manually enable it and ensure their setup is configured properly for both IPv4 and IPv6.

Customers with the following configurations will be opted-out during this rollout to avoid any disruptions in mail flow. At any time, a tenant admin can also opt out proactively using PowerShell, as detailed below.

Customers using Exchange Transport Rules (ETR) with the SenderIPRanges predicate might experience issues. This could occur when the sender's IP for traffic to your tenant is IPv6, causing the ETR that relies on the SenderIPRanges predicate to fail in identifying the sender's IPv4 address, thereby impacting mail flow to your tenant.
- Prior to enabling IPv6: Modify your Exchange Transport Rules that use the SenderIPRanges predicate to include the IPv6 ranges of your partners, ensuring comprehensive coverage for email traffic affected by Exchange transport rules.
Customers employing Microsoft Purview Data Loss Prevention (DLP) Policies with the SenderIPRanges predicate may encounter issues. This could occur when the sender's IP for traffic to your tenant is in IPv6, causing the transport rule that relies on the SenderIPRanges predicate to fail in identifying the sender's IPv4 address, thereby affecting mail flow to your tenant.
- Prior to enabling IPv6: Update your Microsoft Purview Data Loss Prevention (DLP) Policies that use the SenderIPRanges predicate to include the IPv6 ranges of your partners, ensuring comprehensive coverage for the email traffic affected by this transport rule.
Customers using IP Address-based Inbound Connectors in Exchange Online that reference IPv4 addresses might experience issues if the sender switches to IPv6, causing the connector to fail to match the Sender’s IP and affecting mail flow.
Prior to enabling IPv6, customers should:
- Coordinate with the sender to ensure they continue connecting via IPv4; or
- Convert the IP-based connector to a certificate domain-based connector. This applies to both On-Premises type (From: Your organization's email server, To: Office 365) and Partner Type connectors (From: Partner organization, To: Office 365).
Enhanced Filtering for Connectors – Customers that have configured Enhanced Filtering for Connectors will need to review their configuration to ensure that both IPv4 and IPv6 addresses for their specific devices are included. Note that IPv6 entries can only be added via PowerShell at this time.

How to opt-in for IPV6 inbound and confirming your status

To manually opt-in or opt-out of IPv6 for your Accepted Domain(s), you can use the Enable/Disable-IPv6ForAcceptedDomain cmdlet with the -Domain parameter. For more details on this cmdlet, refer to this link.

For example:

Enable-IPv6ForAcceptedDomain -Domain contoso.com
Enable-IPv6ForAcceptedDomain -Domain contoso.onmicrosoft.com
Disable-IPv6ForAcceptedDomain -Domain contoso.com
Disable-IPv6ForAcceptedDomain -Domain contoso.onmicrosoft.com

Customers can check the status of their Accepted Domains using the new Get-IPv6StatusForAcceptedDomain command. Note it may take up to an hour for a change to be reflected.

For example:

Get-IPv6StatusForAcceptedDomain -Domain contoso.com

Microsoft Defender for Office 365: IPv6 allow and block support in the Tenant Allow/Block List

Admins can now create allow and block entries for IPv6 directly inside the Tenant Allow/Block List within the Defender portal, or by using the New-TenantAllowBlockListItems cmdlet (ListType parameter with value IP). This change will not affect any current Tenant Allow/Block List entries or IPv4 entries in the hosted connection filter policy or enhanced filtering connection policy. This applies to customers with Exchange Online Protection or Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans. Note that IPv4 entries are not yet allowed (coming soon), and there are some entry limits, please see more detail here.

Customers will be able to add these IPv6 allow and block entries in these formats:

Colon-hexadecimal notation single IPv6 address (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334)
Zero compression single IPv6 address (for example, 2001:db8::1)
Classless inter-domain routing (CIDR) IPv6 (for example, 2001:0db8::/32). The range supported is 1-128.

The IPv6 updates for Exchange Online enhance security, performance, and compliance with modern standards. By prioritizing IPv6 for outbound emails and enabling it for inbound mail Microsoft is helping customers stay ahead of regulatory requirements. Customers should review their configurations to fully benefit from these updates.

Microsoft 365 Messaging Team

Updated Nov 06, 2024

Version 3.0

announcements

exchange online

Planning and Architecture

Microsoft

Joined April 19, 2019

You Had Me at EHLO.

Copper Contributor

Will IPv6 be enabled for accepted domains with MX records under the DNSSEC enabled mx.microsoft? I get an error when using Get-IPv6StatusForAcceptedDomain for my domain that has an MX record ending in h-v1.mx.microsoft:

PS> Get-IPv6StatusForAcceptedDomain -Domain example.com

WARNING: DNS record has unexpected value for domain example.com. Expected: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/DNSSEC_Resources/providers/Microsoft.Network/dnszones/h-v1.mx.microsoft/CNAME/eop-EUR01-anchor, Actual: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/dnssec_resources/providers/Microsoft.Network/dnszones/h-v1.mx.microsoft/CNAME/eop-EUR01-v4-anchor.
Result Status AdditionalInfo
------ ------ --------------
Failure Enabled DNS record for the domain example.com has unexpected value.

Other accepted domains in my tenant with MX records ending in mail.protection.outlook.com sucessfully shows up as enabled (but no IPv6 addresses are returned for the MX hostname yet).

Arindam_Thokder
Microsoft
Oct 30, 2024
MicroUser1 - This is expected as mentioned in the message center post - MC835648

"If you have enabled DNSSEC for mail flow, you may have issues executing the Get-IPv6StatusForAcceptedDomain cmdlet for the DNSSEC-enabled domain. We are rolling out the fix now. Please ensure to run Disable-IPv6ForAcceptedDomain to opt out of the IPv6 enablement if you need to opt a DNSSEC-enabled domain out of the IPv6 by default rollout. The IPv6 rollout will not affect DNSSEC-enabled domains until after Nov 18th."
MicroUser1
Copper Contributor
Oct 30, 2024
Arindam_Thokder Thank you for the swift clarification! I'll be waiting for IPv6 to be enabled for all of my accepted domains.
IndiaYankee
Brass Contributor
Nov 22, 2024
Since you enabled the "key updates to IPv6 traffic for Exchange Online," we have begun experiencing issues with emails failing DMARC validation. This is particularly concerning because these emails are sent from our head office organization, and we know for a fact that our email policy is correctly configured.
However, some emails are failing the SPF check, which subsequently causes DMARC to fail. Since our DMARC policy is set to "reject," these emails are being rejected. Notably, when we resend the same email, it gets delivered successfully.
I have opened a support case with Microsoft, but so far, it hasn’t provided a resolution. We send our emails through a third-party hosted system, and as such, our MX record points to them. We have Enhanced Filtering configured, and everything has been working fine since 2018. These issues only started occurring around October 20th—after your IPv6 changes were implemented.
Currently, we have not enabled IPv6 in our organization, nor do we have any plans to do so, as there is minimal IPv6 adoption in our region. From the extended reports in Exchange Online, it appears that our mail traffic is being processed by servers using IPv6 addresses owned by Microsoft. It seems that some DNS lookups performed by Exchange Online to verify our mail policy are being done using IPv6 exclusively. These IPv6 lookups return null responses from our SPF configuration, which only supports IPv4.
This aligns with our theory regarding the root cause of these errors. While I understand that Microsoft had good intentions in activating this change, it is currently having a negative impact on our email traffic. To address this, we have disabled IPv6 in our domains to opt out of this change, and I have received confirmation that we have successfully opted out. However, the issue persists.

Blog Post

IPv6 updates for Exchange Online

Share