Exchange Online Tamper Protections Arriving in 2024
Organizations will need to use new Exhange Online subdomains with the coming changes.
Microsoft on Wednesday gave notice that its Exchange Online e-mail tamper protections are planned for completion in 2024, which may entail some backend changes by IT departments.
Essentially, Microsoft is turning on two security protocol enhancements for Exchange Online, namely the Domain Name System (DNS)-based Authentication of Named Entities (DANE) for SMTP, as well as Domain Name System Security Extensions (DNSSEC). Both additions are intended to thwart adversary attacks.
DANE for SMTP verifies certificates "used for securing email communication with TLS [Transport Layer Security]," protecting against "TLS downgrade attacks." DNSSEC, on the other hand, "provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS," the announcement explained.
Last year, Microsoft had announced that those two security protocols were being enabled for outbound e-mails using Exchange Online. The outbound enablement "has been supported since March 2022," the announcement explained.
The coming 2024 security protocol additions to Exchange Online will be for inbound e-mails, competing Microsoft's security upgrades, the Wednesday announcement explained. When the addition of these protocols is completed, new "A record" domains used with Exchange Online will get switched to the new subdomains, labeled "mx.microsoft."
This change to mx.microsoft will start in "March 2024" as an opt-in public preview. General availability is targeted for July 2024. Microsoft will gradually switch new A records to the new mx.microsoft subdomains in subsequent months, with completion expected in Dec. 2024:
"Between July and December 2024, we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft," the announcement indicated.
"Accepted Domains" are the SMTP namespaces that are used to receive e-mails, per Microsoft's definition.
IT department will need to take action if they have hard-coded the current "mail.protection.outlook.com" domain for their A records, the announcement cautioned. Organizations should also check if they have autoprovisioning processes that may reference the mail.protection.outlook.com domain that will get changed to mx.microsoft.
The announcement suggested that "Microsoft 365 Admin Center and/or Exchange PowerShell" migration tooling to help organizations with this change would be available in March. Microsoft also plans to release a wizard that can be used to migrate "DNS records to DNSSEC-secured domains" for "accepted domains created before July 2024."
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.