Sep 17 2023 06:47 AM
TechCommunity and @The_Exchange_Team,
In the article "Introducing MTA-STS for Exchange Online," there's a statement:
@The_Exchange_Team wrote:
We do not support CNAMEs when MTA-STS is used. If a domain uses a CNAME and follows the MTA-STS RFC, that domain will fail our MTA-STS checks, and will not receive emails from us.
I have several technical questions regarding this:
Looking for technical clarifications on these points.
Sep 18 2023 05:52 AM
Hi @databender,
I will try to be technical, but also a bit casual for the better understanding:
1. CNAME Reference:
- When they mention "a domain using a CNAME," they mean it's not just about email servers. It's mostly about using CNAME records for a specific kind of email security thing called MTA-STS. Think of CNAMEs like shortcuts.
2. CNAME Usage:
- They say, "Hey, don't use CNAMEs for MTA-STS," because they want email to be super safe. MTA-STS is like a bodyguard for emails, making sure they're secure. But when we use CNAMEs, it can make the bodyguard's job harder.
- Microsoft wants email deliveries to be as safe as possible. So, they say, "Let's not use CNAMEs for MTA-STS." Safety is their top priority!
3. Record Type Implications:
- Now, when it comes to using A/AAAA records (these are like direct addresses) instead of CNAME records (which are like detours) for MTA-STS, here's the deal: A/AAAA records give us more control. It's like knowing exactly where you're going.
- But with CNAMEs, it's like taking a longer route, and sometimes, that can lead to security issues. Bad guys might try to mess with the directions, and that's a no-no.
- So, Microsoft says, "Let's stick to A/AAAA records for MTA-STS to keep email super secure."
MTA-STS (Strict Transport Security) (msxfaq.de)
MTA-STS (Strict Transport Security) - Frankys Web
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
Sep 18 2023 07:50 PM