Clicky

Microsoft Technical Bulletins

The latest updates for all the Microsoft Products you use every day.

Microsoft Exchange Curtain Reveal Tech Bulletin Header

Written by Richard Quatier

My goal is to help your business by integrating processes that automate mundane tasks and simplify complex ones without breaking budgets.

Categories: Exchange Online

January 5, 2022

Blog Home

Upcoming Release Outbound SMTP DANE and DNSSEC in Microsoft 365 Exchange Online

From Microsoft Corporation
Technical Bulletin MC308285 · Published Dec 24, 2021

Message Summary

As previously announced in the blog post Support of DANE and DNSSEC in Office 365 Exchange Online, we will be adding support for SMTP DANE and DNSSEC to Exchange Online (EXO). DANE combined with DNSSEC is the state-of-the-art for securing email, and to optimize its effectiveness both standards will be enabled by default at the system level for all EXO customers.

This message is associated with Microsoft 365 Roadmap ID 63212

When this will happen:

The first phase, DANE and DNSSEC for outbound email, will roll out slowly beginning mid-January 2022 and finish by late May 2022.

How this will affect your organization:

When your users send email to business partners and customers outside of Exchange Online, if the receiving side has correctly configured DANE and DNSSEC then you will get the enhanced security benefits of DANE and DNSSEC automatically. While it’s unlikely to happen, if the recipient’s admin has misconfigured DANE and DNSSEC, or if they have correctly configured the standards but their system has been compromised, mail flow to the recipients will be blocked. This is by design: when DANE or DNSSEC validations against the recipient domain fails, whether due to misconfiguration or compromise, it signals to EXO that the receiving system cannot be trusted and your email to them should not be sent. Our analysis shows that only 0.00023% of all EXO domains send emails to recipients that fall into one of these two categories.

In case of DANE or DNSSEC failures resulting in blocked messages, your senders will receive a bounce message (aka NDR) that includes information about the problem. Email admins will also be able to use the following tools to diagnose recipient or partner side issues:

  • Message Trace Details for pending and failed blocked messages
  • The Microsoft Remote Connectivity Analyzer (RCA) toolto run validation tests against recipient domains.
    Note that the RCA tool is being updated to support DNSSEC and DANE validation tests. We estimate the new RCA functionality will be deployed in Q1 2022.

If your email is blocked due to DNSSEC or DANE failures, please don’t contact Microsoft Support as there isn’t anything they can do to fix this – the error is on the recipient side and only the recipient’s admin can fix it.

What you need to do to prepare:

This communication is only for your awareness and no customer action is required.

If you experience any issues related to the enablement of DNSSEC and DANE, the methods for investigating failures noted above will help you identify the source of the error. In most cases the issue will be with the external destination party, and you will need to communicate to them that since their email system advertises support for DNSSEC and DANE they need to correctly configure these standards to receive email from EXO. A list of the validation steps performed by EXO, as well as additional troubleshooting and error code details, will soon be documented and published to our website. We’ll publish an updated Message Center post with a link to this content before the service update fully rolls out.

We strongly believe support for DNSSEC and DANE will significantly increase the EXO security posture, and this will benefit all EXO customers. We’ve worked diligently over the last year to reduce the potential negative impact this update might have for M365 customers, and we’ll be actively monitoring and tracking the deployment to ensure any impact is minimized as it rolls out.

Additional information
Help and support
Blog

TECHNICAL BULLETIN END

QuixTec provides this and other technical bulletins unaltered from Microsoft. As an authorized Microsoft Partner, we ensure that all our solutions we deliver to you include the latest Microsoft updates.

ABOUT US: QuixTec, LLC is a U.S. certified Veteran Owned, modern DevOps organization with experience in a plethora of IT Software Languages.  As a Microsoft Partner, we specialize in Discounted Microsoft Software Licensing, Microsoft SharePoint, Microsoft365 and HTML5 technologies for small to enterprise-sized organizations. Our dedication to IT excellence is evidenced through our PECB ISO Certification training center. The only PECB ISO authorized center in Washington State. QuixTec, implements and provides training for upcoming open-source digital marketing services that are taking the industry by storm. This solution, used by over 100,000 businesses, provides enterprise level marketing capabilities at startup rates. The founder, Richard, has 30 years of experience working with several notable companies that include World Vision, Expedia, Microsoft, Levi Strauss, NASA, Boeing Aerospace, Los Alamos National Laboratory, and the U.S. Air Force, to name a few.  QuixTec is in the Seattle area. Phone today for a free consultation and project estimate.

(425) 367-9025

LEARN MORE

SharePoint Development ServicesSharePoint Development - Custom Solution Development - Microsoft 365 Experts - Microsoft 365 - IT Staffing Services - WordPress Development Services - Form Email Validation - Microsoft Licensing - Mautic Open Source MarketingBest IT Staffing AgenciesIT Staffing Company  - PECB ISO Training and Certification

You May Also Like…