Search

MC711018 – (Updated) Microsoft Exchange Online: Support for inbound SMTP DANE with DNSSEC

Microsoft Exchange Logo

check before: 2024-07-01

Product:

Exchange, Power Automate

Platform:

Online, US Instances, World tenant

Status:

In development

Change type:

Admin impact, New feature, Updated message, User impact

Links:

63213

Details:

Summary:
Microsoft Exchange Online is updating to support inbound SMTP DANE with DNSSEC. Public Preview begins in July 2024, with General Availability rolling out from early September to late October 2024. This feature will be off by default and can be enabled using Exchange PowerShell, with a new experience for enabling without PowerShell coming by the end of 2024. There are specific supported and unsupported domain configurations to consider.

Details:
Updated July 17, 2024: We have updated the rollout timing below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]

Public Preview: We will begin rolling out in July 2024.

General Availability: We begin rolling out early September 2024 (previously late August) and expect to complete by late October 2024 (previously late September).

Change Category:
XXXXXXX ...

Scope:
XXXXXXX ...

Release Phase:
General Availability, Preview

Created:
2024-01-30

updated:
2024-08-10

Public Preview Start Date

XXXXXXX ...

Task Type

XXXXXXX ...

Docu to Check

XXXXXXX ...

MS How does it affect me

XXXXXXX ...

MS Preperations

XXXXXXX ...

MS Urgency

XXXXXXX ...

MS workload name

XXXXXXX ...

linked item details

XXXXXXX ...

Direct effects for Operations**

- Direct Impact on IT Operations
- Potential disruptions in email flow during the transition to DANE and DNSSEC, especially if domain configurations are not properly reviewed and updated.
- Roles impacted: IT Operations Team, Network Administrators
- Increased complexity in managing email security protocols, requiring additional training and updates to operational procedures.
- Roles impacted: IT Security Team, System Administrators
- Need for monitoring and troubleshooting tools to ensure the proper functioning of DANE and DNSSEC, which may require additional resources or updates to existing tools.
- Roles impacted: IT Support Staff, System Administrators

- Direct Impact on IT Services
- Compatibility issues with third-party gateways and connectors, which may lead to service interruptions if not properly configured before enabling DANE and DNSSEC.
- Roles impacted: IT Service Managers, Application Administrators
- Risk of email delivery failures if unsupported domain configurations are in use, potentially affecting communication with external partners and clients.
- Roles impacted: IT Service Managers, Business Continuity Managers
- Increased load on IT support due to user inquiries and issues arising from the new security protocols, necessitating enhanced support resources.
- Roles impacted: IT Helpdesk Staff, IT Support Managers

- Direct Impact on IT Users
- Possible delays in email delivery or access issues during the rollout period, which could hinder productivity and communication.
- Roles impacted: All End Users, Department Managers
- Users may experience confusion or frustration if they encounter issues related to the new security protocols without adequate communication and training.
- Roles impacted: All End Users, Training Coordinators
- Changes in email authentication processes may require users to adapt to new security measures, impacting their workflow and requiring additional support.
- Roles impacted: All End Users, IT Training Staff

References:
- Microsoft Learn on SMTP DANE: [How SMTP DNS-based Authentication of Named Entities (DANE) secures email communications](https://learn.microsoft.com/purview/how-smtp-dane-works?view=o365-worldwidehow-can-exchange-online-customers-use-smtp-dane-inbound)
- Microsoft Tech Community Blog on implementing DANE with DNSSEC: [Implementing Inbound SMTP DANE with DNSSEC for Exchange Online](https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694)

Opportunities**

XXXXXXX ...

Potentional Risks**

XXXXXXX ...

** AI generated content. This information is not reliable.

the free basic plan is required to see all details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.



change history

DatePropertyoldnew
2024-07-18MC Last Updated06/21/2024 20:09:362024-07-17T18:09:15Z
2024-07-18MC MessagesUpdated June 21, 2024: We have updated the rollout timing below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]

Public Preview: We will begin rolling out in July 2024.

Standard Release: We begin rolling out late August 2024 (previously late June) and expect to complete by late September 2024 (previously late July).
Updated July 17, 2024: We have updated the rollout timing below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]

Public Preview: We will begin rolling out in July 2024.

General Availability: We begin rolling out early September 2024 (previously late August) and expect to complete by late October 2024 (previously late September).
2024-07-18MC End Time11/04/2024 08:00:002025-01-13T08:00:00Z
2024-07-18MC SummaryMicrosoft Exchange Online is updating to support inbound SMTP DANE with DNSSEC. Public Preview begins in July 2024, with Standard Release from late August to late September 2024. The feature will be off by default and can be enabled via Exchange PowerShell, with a new experience coming by end of 2024. Review domain configurations and visit the Microsoft Community Hub for detailed information on limitations and preparation. Roadmap ID: 63213.Microsoft Exchange Online is updating to support inbound SMTP DANE with DNSSEC. Public Preview begins in July 2024, with General Availability rolling out from early September to late October 2024. This feature will be off by default and can be enabled using Exchange PowerShell, with a new experience for enabling without PowerShell coming by the end of 2024. There are specific supported and unsupported domain configurations to consider.
2024-06-22MC Last Updated04/15/2024 23:43:582024-06-21T20:09:36Z
2024-06-22MC MessagesUpdated April 15, 2024: We have updated the timing of the Preview below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]

Public Preview: We will begin rolling out in May 2024.

Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024.
Updated June 21, 2024: We have updated the rollout timing below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]

Public Preview: We will begin rolling out in July 2024.

Standard Release: We begin rolling out late August 2024 (previously late June) and expect to complete by late September 2024 (previously late July).
2024-06-22MC End Time09/06/2024 09:00:002024-11-04T08:00:00Z
2024-06-22MC SummaryMicrosoft Exchange Online will support inbound SMTP DANE with DNSSEC starting from lMay 2024. Inbound SMTP DANE with DNSSEC will be off by default, and if you do not want to enable the feature, you do not need to do anything. If you want to enable the feature, follow the documentation using Exchange PowerShell. Review your domain configuration internally to ensure you won't be impacted by any of the limitations.Microsoft Exchange Online is updating to support inbound SMTP DANE with DNSSEC. Public Preview begins in July 2024, with Standard Release from late August to late September 2024. The feature will be off by default and can be enabled via Exchange PowerShell, with a new experience coming by end of 2024. Review domain configurations and visit the Microsoft Community Hub for detailed information on limitations and preparation. Roadmap ID: 63213.
2024-04-16MC MessagesUpdated February 16, 2024: We have updated the content below for clarity Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]

Public Preview: We will begin rolling out late March 2024 and expect to complete by late April 2024.

Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024.
Updated April 15, 2024: We have updated the timing of the Preview below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]

Public Preview: We will begin rolling out in May 2024.

Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024.
2024-04-16MC Last Updated02/17/2024 00:20:422024-04-15T23:43:58Z
2024-04-16MC SummaryMicrosoft Exchange Online will support inbound SMTP DANE with DNSSEC starting from late March 2024. Inbound SMTP DANE with DNSSEC will be off by default, and if you do not want to enable the feature, you do not need to do anything. If you want to enable the feature, follow the documentation using Exchange PowerShell. Review your domain configuration internally to ensure you won't be impacted by any of the limitations.Microsoft Exchange Online will support inbound SMTP DANE with DNSSEC starting from lMay 2024. Inbound SMTP DANE with DNSSEC will be off by default, and if you do not want to enable the feature, you do not need to do anything. If you want to enable the feature, follow the documentation using Exchange PowerShell. Review your domain configuration internally to ensure you won't be impacted by any of the limitations.
2024-02-17MC prepareReview your domain configuration internally to ensure you won’t be impacted by any of the limitations below, and visit Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow - Microsoft Community Hub for more detailed information on limitations:
Not supported: Fully delegated domain, onmicrosoft.com domains, and domains purchased from Microsoft known as “viral” or self-service sign-up domains

Supported with risk: 3rd-party gateways and integration with mail flow
https://learn.microsoft.com/purview/how-smtp-dane-works?view=o365-worldwide#how-can-exchange-online-customers-use-smtp-dane-inbound
https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694
https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=63213
Review your domain configuration internally to ensure you won’t be impacted by any of the limitations below, and visit Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow - Microsoft Community Hub for more detailed information on limitations:
Not supported: Fully delegated domain, onmicrosoft.com domains, and domains purchased from Microsoft known as “viral” or self-service sign-up domains
Supported with risk: 3rd-party gateways, connectors, and integration with hybrid mail flow (ex. if you are using a connector to smarthost to a domain that you want to enable with DNSSEC, you need to update the smarthost name for that connector [ex. contoso-com.mail.protection.outlook.com] to match the new MX record that will be provided during DNSSEC enablement or, preferably, to match the tenant's onmicrosoft.com domain [ex. tenant-name.onmicrosoft.com] before enabling the feature.)
https://learn.microsoft.com/purview/how-smtp-dane-works?view=o365-worldwide#how-can-exchange-online-customers-use-smtp-dane-inbound
https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694
https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=63213
2024-02-17MC SummaryMicrosoft Exchange Online will support inbound SMTP DANE with DNSSEC starting from late March 2024. Inbound SMTP DANE with DNSSEC will be off by default, and if you do not want to enable the feature, you do not need to do anything. If you want to enable the feature, follow the documentation using Exchange PowerShell. Review your domain configuration internally to ensure you won't be impacted by any of the limitations.
2024-02-17MC Last Updated01/30/2024 00:51:592024-02-17T00:20:42Z
2024-02-17MC MessagesWe are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]

Public Preview: We will begin rolling out late March 2024 and expect to complete by late April 2024.

Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024.
Updated February 16, 2024: We have updated the content below for clarity Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]

Public Preview: We will begin rolling out late March 2024 and expect to complete by late April 2024.

Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024.
2024-02-17MC TitleMicrosoft Exchange Online: Support for inbound SMTP DANE with DNSSEC(Updated) Microsoft Exchange Online: Support for inbound SMTP DANE with DNSSEC
2024-02-17MC MessageTagNamesNew feature, User impact, Admin impactUpdated message, New feature, User impact, Admin impact

Last updated 1 month ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!