From Microsoft Corporation
Technical Bulletin MC308285 · Published Dec 24, 2021
Message Summary
As previously announced in the blog post Support of DANE and DNSSEC in Office 365 Exchange Online, we will be adding support for SMTP DANE and DNSSEC to Exchange Online (EXO). DANE combined with DNSSEC is the state-of-the-art for securing email, and to optimize its effectiveness both standards will be enabled by default at the system level for all EXO customers.
This message is associated with Microsoft 365 Roadmap ID 63212
When this will happen:
The first phase, DANE and DNSSEC for outbound email, will roll out slowly beginning mid-January 2022 and finish by late May 2022.
How this will affect your organization:
When your users send email to business partners and customers outside of Exchange Online, if the receiving side has correctly configured DANE and DNSSEC then you will get the enhanced security benefits of DANE and DNSSEC automatically. While it’s unlikely to happen, if the recipient’s admin has misconfigured DANE and DNSSEC, or if they have correctly configured the standards but their system has been compromised, mail flow to the recipients will be blocked. This is by design: when DANE or DNSSEC validations against the recipient domain fails, whether due to misconfiguration or compromise, it signals to EXO that the receiving system cannot be trusted and your email to them should not be sent. Our analysis shows that only 0.00023% of all EXO domains send emails to recipients that fall into one of these two categories.
In case of DANE or DNSSEC failures resulting in blocked messages, your senders will receive a bounce message (aka NDR) that includes information about the problem. Email admins will also be able to use the following tools to diagnose recipient or partner side issues:
- Message Trace Details for pending and failed blocked messages
- The Microsoft Remote Connectivity Analyzer (RCA) toolto run validation tests against recipient domains.
Note that the RCA tool is being updated to support DNSSEC and DANE validation tests. We estimate the new RCA functionality will be deployed in Q1 2022.
If your email is blocked due to DNSSEC or DANE failures, please don’t contact Microsoft Support as there isn’t anything they can do to fix this – the error is on the recipient side and only the recipient’s admin can fix it.
What you need to do to prepare:
This communication is only for your awareness and no customer action is required.
If you experience any issues related to the enablement of DNSSEC and DANE, the methods for investigating failures noted above will help you identify the source of the error. In most cases the issue will be with the external destination party, and you will need to communicate to them that since their email system advertises support for DNSSEC and DANE they need to correctly configure these standards to receive email from EXO. A list of the validation steps performed by EXO, as well as additional troubleshooting and error code details, will soon be documented and published to our website. We’ll publish an updated Message Center post with a link to this content before the service update fully rolls out.
We strongly believe support for DNSSEC and DANE will significantly increase the EXO security posture, and this will benefit all EXO customers. We’ve worked diligently over the last year to reduce the potential negative impact this update might have for M365 customers, and we’ll be actively monitoring and tracking the deployment to ensure any impact is minimized as it rolls out.
