Microsoft is gearing up for a significant shift in its email security infrastructure, replacing the familiar “mail.protection.outlook.com” with a new set of subdomains under mx.microsoft. This exciting move, starting in March 2024, brings with it a powerful security duo: SMTP DANE and DNSSEC. But before you dive into technical details, let’s unpack what this means for your organisation’s email security.
Why the Change?
While “mail.protection.outlook.com” has served us well, it’s time for an upgrade. Microsoft has built out new infrastructure offer to several key advantages:
- Enhanced Security: “mx.microsoft” paves the way for DANE with DNSSEC implementation. This works by verifying the authenticity of mail servers, making it significantly harder for attackers to impersonate your domain and launch phishing attacks.
- Future-Proofing: The move to the
.microsoftTLD aligns with Microsoft’s broader strategy, ensuring long-term stability and access to the latest security features. - Streamlined Infrastructure: Consolidating email services under a single domain simplifies management and potentially streamlines troubleshooting for administrators.
It’s also important from a technical standpoint to understand what Microsoft are doing, I’ll use joetiedeman.uk as the example where they are moving from simply having A records in place joetiedeman-uk.mail.protection.outlook.com to a new DNS zone for joetiedeman-uk.xxxxx-v1.mx.microsoft where xxxxx is a randomly generated string which may cause issues for automation that has historically relied on a predictable pattern of domain-tld.mail.protection.outlook.com
Understanding DANE and DNSSEC:
DANE stands for “DNS-based Authentication of Named Entities” while DNSSEC stands for “Domain Name System Security Extensions.” Both work hand-in-hand to secure your email flow:
- DANE: Think of it as a digital handshake. It uses TLSA records stored in your DNS to tell email servers which certificates they should trust for communication with your domain.
- DNSSEC: Acts as the security guard. It cryptographically signs your DNS records, ensuring their authenticity and preventing attackers from tampering with them to redirect emails.
For deeper dives, check out these resources:
- Microsoft’s official announcement:https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694
- DANE explained: https://learn.microsoft.com/en-us/purview/how-smtp-dane-works
- DNSSEC in plain English: https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
A Timeline of the MX Record Shift:
April 2020: Microsoft announces a multi-year transition plan to implement DANE & DNSSEC for Office 365/Exchange Online by June 2024 and specifically outbound email support by the end of 2020.
September 2023: Microsoft officially announces the planned migration to “mx.microsoft” subdomains and the integration of DANE with DNSSEC.
March 2024: Public preview begins. Organisations can opt-in to migrate their Accepted Domains to the new subdomains.
July 2024: General availability kicks in. New Accepted Domains are automatically directed to mx.microsoft subdomains.
December 2024: Full migration complete. Microsoft has this has the goal for all Accepted Domains to use mx.microsoft subdomains.
April 2030?: Microsoft currently have no plans to drop support for existing MX records, or force users to migrate over, but we do know that they’ve removed support for the predecessor to mail.protection.outlook.com in the past, so it’s likely that they will do the same here eventually. Given this change has taken 4 years to get to, we’re probably safe for a few more years!
What You Need to Do:
The good news: the transition is gradual and offers options:
- Assess your readiness: Do you have the expertise to manage DNS records and potentially implement DANE with DNSSEC? Consider seeking professional help if needed.
- Start planning: Decide whether to opt-in for the preview or wait for general availability. Review your email configuration and identify any dependencies on “mail.protection.outlook.com”.
- Test and monitor: Once migrated, thoroughly test your email flow and monitor for any disruptions.
N.B. There’s no word yet on whether there’s going to be any changes required to SPF records, from the current spf.protection.outlook.com to something like spf.mx.microsoft, for example.
The Takeaway:
This change might seem daunting at first, but the benefits far outweigh the initial effort. Embracing “mx.microsoft” and DANE with DNSSEC signifies a significant leap in email security. By proactively planning and understanding the technology, you can ensure a smooth transition and enjoy the peace of mind that comes with knowing your emails are protected against sophisticated attacks.
Check your domain with https://cybaa.io to see details of your domains DNS and Email setup!
Joe Tiedeman 
Leave a comment