Microsoft's DANE rollout for Exchange Online

Viktor Dukhovni ietf-dane at
Fri Jan 7 03:04:25 CET 2022

Starting this month through May 2022, Microsoft will incrementally
roll out outbound DANE support (*enabled by default*) for all hosted
Exchange Online domains:

> As previously announced in the blog post Support of DANE and DNSSEC in Office 365 Exchange Online, we will be adding support for SMTP DANE and DNSSEC to Exchange Online (EXO). DANE combined with DNSSEC is the state-of-the-art for securing email, and to optimize its effectiveness both standards will be enabled by default at the system level for all EXO customers.

If your cert rollover practices are sloppy, with transient certificate
chain validation failures after each key/cert rollover, as stale TLSA
records age out from caches or are only updated after problem reports,
then this is a good time to either up your game, or stop publishing TLSA
records.  Having stale TLSA records that delay or break email delivery
does neither you nor the people sending you email any good.

Please follow best-practice and pre-publish matching TLSA records for
the upcoming certs a few TTLs before certificate deployment.  If that's
too hard, disable DANE until you can implement a more robust rollover


More information about the dane-users mailing list