check before: 2024-07-01
Product:
Exchange, Power Automate
Platform:
Online, US Instances, World tenant
Status:
Launched
Change type:
Admin impact, New feature, Updated message, User impact
Links:

Details:
Summary:
Microsoft Exchange Online now supports inbound SMTP DANE with DNSSEC, enhancing email security. It's in General Availability since October 22, 2024. The feature is off by default and can be enabled via Exchange PowerShell, with a new enabling experience coming by end of 2024. Additional information and limitations are detailed in the provided links.
Details:
Updated October 22, 2024: Inbound SMTP DANE with DNSSEC is now in General Availability. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213.
[When this will happen:]
Public Preview: We will begin rolling out in July 2024.
General Availability: We begin rolling out early September 2024 (previously late August) and expect to complete by late October 2024 (previously late September).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability, Preview
Created:
2024-01-30
updated:
2024-10-24
Public Preview Start Date
XXXXXXX ... free basic plan only
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Email Delivery Issues
If the feature is enabled without proper domain configuration, it may lead to email delivery failures due to misconfigured DNS records or unsupported domain types.
- roles: IT Administrator, Email Support Specialist
- references: https://learn.microsoft.com/purview/how-smtp-dane-works?view=o365-worldwide#how-can-exchange-online-customers-use-smtp-dane-inbound, https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694
Increased Support Tickets
Users may experience issues with email access or delivery, leading to an increase in support tickets and user frustration if the feature is enabled without adequate preparation.
- roles: Help Desk Technician, IT Support Manager
- references: https://learn.microsoft.com/purview/how-smtp-dane-works?view=o365-worldwide#how-can-exchange-online-customers-use-smtp-dane-inbound, https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694
Security Vulnerabilities
Enabling the feature without understanding its limitations may expose the organization to security vulnerabilities, especially if third-party gateways or hybrid mail flows are not properly configured.
- roles: Security Analyst, Network Administrator
- references: https://learn.microsoft.com/purview/how-smtp-dane-works?view=o365-worldwide#how-can-exchange-online-customers-use-smtp-dane-inbound, https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Microsoft Exchange Online has introduced a new feature called inbound SMTP DANE with DNSSEC, which is designed to enhance email security. To understand this change, think of it like adding a more secure lock to your front door. In the digital world, emails are like messages sent through a series of doors (servers) before reaching their destination. Each door needs to be securely locked to ensure that the message isn't tampered with or intercepted.
DANE (DNS-based Authentication of Named Entities) is like a special key that ensures the lock on each door is genuine and hasn't been swapped out for a weaker one. It uses DNS (Domain Name System) to verify the authenticity of the keys (certificates) used to secure email communication. This helps protect against certain types of attacks where someone might try to downgrade the security of the connection.
DNSSEC (Domain Name System Security Extensions) acts like a guard that verifies the authenticity of the information about these locks and keys. It ensures that the directions to the right doors (DNS records) haven't been tampered with, preventing someone from redirecting your message to a malicious door.
This feature is available now but is turned off by default. You can think of it like a new security system that you need to activate yourself if you want to use it. Initially, you can enable it using Exchange PowerShell, which is a bit like using a control panel to configure your security settings. By the end of 2024, Microsoft plans to make it easier to enable this feature without needing to use PowerShell.
There are some limitations to be aware of, similar to how certain types of locks might not fit every door. For example, certain domain types and configurations may not support this feature, and there are considerations if you're using third-party services or hybrid mail setups.
In summary, this update is about making email communication more secure by verifying the authenticity of the paths and locks used in the process. If you choose to enable it, you'll be adding an extra layer of protection to your email system.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.

change history
Date | Property | old | new |
2024-10-24 | MC Messages | Updated July 17, 2024: We have updated the rollout timing below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS. This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out in July 2024. General Availability: We begin rolling out early September 2024 (previously late August) and expect to complete by late October 2024 (previously late September). | Updated October 22, 2024: Inbound SMTP DANE with DNSSEC is now in General Availability. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS. This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out in July 2024. General Availability: We begin rolling out early September 2024 (previously late August) and expect to complete by late October 2024 (previously late September). |
2024-10-24 | MC Last Updated | 07/17/2024 18:09:15 | 2024-10-24T01:36:54Z |
2024-10-24 | MC Summary | Microsoft Exchange Online is updating to support inbound SMTP DANE with DNSSEC. Public Preview begins in July 2024, with General Availability rolling out from early September to late October 2024. This feature will be off by default and can be enabled using Exchange PowerShell, with a new experience for enabling without PowerShell coming by the end of 2024. There are specific supported and unsupported domain configurations to consider. | Microsoft Exchange Online now supports inbound SMTP DANE with DNSSEC, enhancing email security. It's in General Availability since October 22, 2024. The feature is off by default and can be enabled via Exchange PowerShell, with a new enabling experience coming by end of 2024. Additional information and limitations are detailed in the provided links. |
2024-07-18 | MC Last Updated | 06/21/2024 20:09:36 | 2024-07-17T18:09:15Z |
2024-07-18 | MC Messages | Updated June 21, 2024: We have updated the rollout timing below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS. This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out in July 2024. Standard Release: We begin rolling out late August 2024 (previously late June) and expect to complete by late September 2024 (previously late July). | Updated July 17, 2024: We have updated the rollout timing below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS. This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out in July 2024. General Availability: We begin rolling out early September 2024 (previously late August) and expect to complete by late October 2024 (previously late September). |
2024-07-18 | MC End Time | 11/04/2024 08:00:00 | 2025-01-13T08:00:00Z |
2024-07-18 | MC Summary | Microsoft Exchange Online is updating to support inbound SMTP DANE with DNSSEC. Public Preview begins in July 2024, with Standard Release from late August to late September 2024. The feature will be off by default and can be enabled via Exchange PowerShell, with a new experience coming by end of 2024. Review domain configurations and visit the Microsoft Community Hub for detailed information on limitations and preparation. Roadmap ID: 63213. | Microsoft Exchange Online is updating to support inbound SMTP DANE with DNSSEC. Public Preview begins in July 2024, with General Availability rolling out from early September to late October 2024. This feature will be off by default and can be enabled using Exchange PowerShell, with a new experience for enabling without PowerShell coming by the end of 2024. There are specific supported and unsupported domain configurations to consider. |
2024-06-22 | MC Last Updated | 04/15/2024 23:43:58 | 2024-06-21T20:09:36Z |
2024-06-22 | MC Messages | Updated April 15, 2024: We have updated the timing of the Preview below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS. This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out in May 2024. Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024. | Updated June 21, 2024: We have updated the rollout timing below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS. This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out in July 2024. Standard Release: We begin rolling out late August 2024 (previously late June) and expect to complete by late September 2024 (previously late July). |
2024-06-22 | MC End Time | 09/06/2024 09:00:00 | 2024-11-04T08:00:00Z |
2024-06-22 | MC Summary | Microsoft Exchange Online will support inbound SMTP DANE with DNSSEC starting from lMay 2024. Inbound SMTP DANE with DNSSEC will be off by default, and if you do not want to enable the feature, you do not need to do anything. If you want to enable the feature, follow the documentation using Exchange PowerShell. Review your domain configuration internally to ensure you won't be impacted by any of the limitations. | Microsoft Exchange Online is updating to support inbound SMTP DANE with DNSSEC. Public Preview begins in July 2024, with Standard Release from late August to late September 2024. The feature will be off by default and can be enabled via Exchange PowerShell, with a new experience coming by end of 2024. Review domain configurations and visit the Microsoft Community Hub for detailed information on limitations and preparation. Roadmap ID: 63213. |
2024-04-16 | MC Messages | Updated February 16, 2024: We have updated the content below for clarity Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS. This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out late March 2024 and expect to complete by late April 2024. Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024. | Updated April 15, 2024: We have updated the timing of the Preview below. Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS. This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out in May 2024. Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024. |
2024-04-16 | MC Last Updated | 02/17/2024 00:20:42 | 2024-04-15T23:43:58Z |
2024-04-16 | MC Summary | Microsoft Exchange Online will support inbound SMTP DANE with DNSSEC starting from late March 2024. Inbound SMTP DANE with DNSSEC will be off by default, and if you do not want to enable the feature, you do not need to do anything. If you want to enable the feature, follow the documentation using Exchange PowerShell. Review your domain configuration internally to ensure you won't be impacted by any of the limitations. | Microsoft Exchange Online will support inbound SMTP DANE with DNSSEC starting from lMay 2024. Inbound SMTP DANE with DNSSEC will be off by default, and if you do not want to enable the feature, you do not need to do anything. If you want to enable the feature, follow the documentation using Exchange PowerShell. Review your domain configuration internally to ensure you won't be impacted by any of the limitations. |
2024-02-17 | MC prepare | Review your domain configuration internally to ensure you won’t be impacted by any of the limitations below, and visit Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow - Microsoft Community Hub for more detailed information on limitations:
Not supported: Fully delegated domain, onmicrosoft.com domains, and domains purchased from Microsoft known as “viral” or self-service sign-up domains Supported with risk: 3rd-party gateways and integration with mail flow https://learn.microsoft.com/purview/how-smtp-dane-works?view=o365-worldwide#how-can-exchange-online-customers-use-smtp-dane-inbound https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694 https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=63213 | Review your domain configuration internally to ensure you won’t be impacted by any of the limitations below, and visit Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow - Microsoft Community Hub for more detailed information on limitations:
Not supported: Fully delegated domain, onmicrosoft.com domains, and domains purchased from Microsoft known as “viral” or self-service sign-up domains Supported with risk: 3rd-party gateways, connectors, and integration with hybrid mail flow (ex. if you are using a connector to smarthost to a domain that you want to enable with DNSSEC, you need to update the smarthost name for that connector [ex. contoso-com.mail.protection.outlook.com] to match the new MX record that will be provided during DNSSEC enablement or, preferably, to match the tenant's onmicrosoft.com domain [ex. tenant-name.onmicrosoft.com] before enabling the feature.) https://learn.microsoft.com/purview/how-smtp-dane-works?view=o365-worldwide#how-can-exchange-online-customers-use-smtp-dane-inbound https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694 https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=63213 |
2024-02-17 | MC Summary | Microsoft Exchange Online will support inbound SMTP DANE with DNSSEC starting from late March 2024. Inbound SMTP DANE with DNSSEC will be off by default, and if you do not want to enable the feature, you do not need to do anything. If you want to enable the feature, follow the documentation using Exchange PowerShell. Review your domain configuration internally to ensure you won't be impacted by any of the limitations. | |
2024-02-17 | MC Last Updated | 01/30/2024 00:51:59 | 2024-02-17T00:20:42Z |
2024-02-17 | MC Messages | We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS.
This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out late March 2024 and expect to complete by late April 2024. Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024. | Updated February 16, 2024: We have updated the content below for clarity Thank you for your patience.
We are adding support for DNS-based Authentication of Named Entities (or DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) for inbound mail to Exchange Online. DANE for SMTP is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS-spoofing and adversary-in-the-middle attacks to DNS. This message is associated with Microsoft 365 Roadmap ID 63213. [When this will happen:] Public Preview: We will begin rolling out late March 2024 and expect to complete by late April 2024. Standard Release: We begin rolling out late June 2024 and expect to complete by late July 2024. |
2024-02-17 | MC Title | Microsoft Exchange Online: Support for inbound SMTP DANE with DNSSEC | (Updated) Microsoft Exchange Online: Support for inbound SMTP DANE with DNSSEC |
2024-02-17 | MC MessageTagNames | New feature, User impact, Admin impact | Updated message, New feature, User impact, Admin impact |
Last updated 4 weeks ago