Click here to sign up for the Spam Resource newsletter

MX records changing for Microsoft-hosted domains ... eventually

If you're one of those weirdos (like me) who tracks what email providers hosts mail for what domains, you'll want to take note of this.

In the email industry's ongoing efforts to improve email security, Microsoft is adding the ability for Microsoft-hosted domains to implement DANE with DNSSEC. As Microsoft explains, "SMTP DANE is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS."

Anyway, my point is not to dissect the potential value of DANE or theorize how long it'll take for a majority of customer domains to be updated (Microsoft hosts mail for 750,000 of the top ten million domains, and I'm sure many more beyond that). Instead, I want to note how MX records will be updated over time and what you'll have to watch for, if you're looking to denote whether or not an email domain is hosted by Microsoft.

A Microsoft-hosted domain would have previously had an MX record that ended in "" -- for example, if I hosted Spam Resource mail using Microsoft service, my MX record would be "" But if/when I were to implement DANE, that MX record would change to look like "" Microsoft notes that in their example, the "1j2b" bit is randomly assigned, and that you can't attach any significance to it.

They note that the "" services will remain operational indefinitely, but starting in March 2024, you'll no longer be able to just assume that the MX record for any Microsoft hosted domain will be under "" – domains, as they're upgraded to implement DANE support, will now have MX records under "" (And yes, ".microsoft" is a valid TLD.)

So, if you're using automation or your eyeballs to look up a domain's MX record to answer the question "is this domain's mail hosted by Microsoft?", you'll need to update your scripts and/or brain to now recognize two possible results, instead of just the one.

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.

Previous Post Next Post