Microsoft is committed to providing world-class email security solutions and the support for the latest Internet standards in order to provide advanced email protection for our customers. Today we ar...
Updated Oct 16, 2023
Version 2.0
Blog Post
To the O365 "Exchange Online" team, welcome to the DANE SMTP community, congratulations and thanks!
You'll be in good company with comcast.net, gmx.de, web.de, transip.nl, domeneshop.no, active24.com, one.com, protonmail.ch, loopia.se, ...
I hope that like Comcast et. al. you'll have the fortitude to enforce DANE policy even on the rare occasions that an occasional MX host has misconfigured TLSA records. The onus is on them to fix their settings, not everyone else to work around it. The more large senders implement DANE validation, the less credible it will be for a misconfigured receiving system to attempt to shift blame to the sender.
There are presently around 1k (out of 10.9 million) DNSSEC-signed domains where TLSA record lookups ServFail due to broken NSEC chains or outright blocking of TLSA queries by misconfigured middle-boxes. I'm working to get these fixed, and just this week a ~600 such domains were resolved. I expect to see a similar number again get resolved soon, well before you go live, leaving only a tiny fraction of little-known problem domains. These too will have to fix the problems on their end.
Perhaps a prominent blog post announcing your intent to not downgrade security by glossing over problems with a tiny minority remote sites will help motivate timely remediation in advance of your deployment. Good luck!