Microsoft Technical Bulletins

The latest updates for all the Microsoft Products you use every day.

Written by QuixTec LLC

My goal is to help your business by integrating processes that automate mundane tasks and simplify complex ones without breaking budgets.

Categories: Exchange Online

January 5, 2022

Blog Home

Upcoming Release Outbound SMTP DANE and DNSSEC in Microsoft 365 Exchange Online

From Microsoft Corporation
Technical Bulletin MC308285 · Published Dec 24, 2021

Message Summary

As previously announced in the blog post Support of DANE and DNSSEC in Office 365 Exchange Online, we will be adding support for SMTP DANE and DNSSEC to Exchange Online (EXO). DANE combined with DNSSEC is the state-of-the-art for securing email, and to optimize its effectiveness both standards will be enabled by default at the system level for all EXO customers.

This message is associated with Microsoft 365 Roadmap ID 63212

When this will happen:

The first phase, DANE and DNSSEC for outbound email, will roll out slowly beginning mid-January 2022 and finish by late May 2022.

How this will affect your organization:

When your users send email to business partners and customers outside of Exchange Online, if the receiving side has correctly configured DANE and DNSSEC then you will get the enhanced security benefits of DANE and DNSSEC automatically. While it’s unlikely to happen, if the recipient’s admin has misconfigured DANE and DNSSEC, or if they have correctly configured the standards but their system has been compromised, mail flow to the recipients will be blocked. This is by design: when DANE or DNSSEC validations against the recipient domain fails, whether due to misconfiguration or compromise, it signals to EXO that the receiving system cannot be trusted and your email to them should not be sent. Our analysis shows that only 0.00023% of all EXO domains send emails to recipients that fall into one of these two categories.

In case of DANE or DNSSEC failures resulting in blocked messages, your senders will receive a bounce message (aka NDR) that includes information about the problem. Email admins will also be able to use the following tools to diagnose recipient or partner side issues:

  • Message Trace Details for pending and failed blocked messages
  • The Microsoft Remote Connectivity Analyzer (RCA) toolto run validation tests against recipient domains.
    Note that the RCA tool is being updated to support DNSSEC and DANE validation tests. We estimate the new RCA functionality will be deployed in Q1 2022.

If your email is blocked due to DNSSEC or DANE failures, please don’t contact Microsoft Support as there isn’t anything they can do to fix this – the error is on the recipient side and only the recipient’s admin can fix it.

What you need to do to prepare:

This communication is only for your awareness and no customer action is required.

If you experience any issues related to the enablement of DNSSEC and DANE, the methods for investigating failures noted above will help you identify the source of the error. In most cases the issue will be with the external destination party, and you will need to communicate to them that since their email system advertises support for DNSSEC and DANE they need to correctly configure these standards to receive email from EXO. A list of the validation steps performed by EXO, as well as additional troubleshooting and error code details, will soon be documented and published to our website. We’ll publish an updated Message Center post with a link to this content before the service update fully rolls out.

We strongly believe support for DNSSEC and DANE will significantly increase the EXO security posture, and this will benefit all EXO customers. We’ve worked diligently over the last year to reduce the potential negative impact this update might have for M365 customers, and we’ll be actively monitoring and tracking the deployment to ensure any impact is minimized as it rolls out.

Additional information
Help and support


QuixTec provides this and other technical bulletins ‘unaltered’ from Microsoft. As an authorized Microsoft Partner, we ensure that all our solutions we deliver to you include the latest Microsoft updates.

ABOUT US: QuixTec, LLC is a U.S. certified Veteran Owned, modern DevOps organization and Microsoft Partner that specializes in Microsoft SharePoint, Office 365 expertise & HTML5 technologies for small to enterprise-sized organizations. The founder, Richard, has 30 years of experience working with several notable companies that include World Vision, Expedia, Microsoft, Levi Strauss, NASA, Boeing Aerospace, Los Alamos National Laboratory, and the U.S. Air Force, to name a few.  QuixTec is in the Seattle area. Phone today for a free consultation and project estimate:

(425) 367-9025


SharePoint Development ServicesSharePoint DevelopmentCustom Software DevelopmentMicrosoft 365 ExpertsMicrosoft 365IT Staffing ServicesIT StaffingWordPress Development Services

You May Also Like…

(Updated) Bookings with me in Outlook

(Updated) Bookings with me in Outlook

Exchange Online, Bookings, Microsoft 365 Experts From Microsoft CorporationTechnical Bulletin MC375740 · Published May 4, 2022 · Last updated May 24, 2022 Message Summary Updated May 24, 2022: We have updated the post for clarity. Thank...