MX records changing for Microsoft-hosted domains ... eventually

If you're one of those weirdos (like me) who tracks what email providers hosts mail for what domains, you'll want to take note of this.

In the email industry's ongoing efforts to improve email security, Microsoft is adding the ability for Microsoft-hosted domains to implement DANE with DNSSEC. As Microsoft explains, "SMTP DANE is a security protocol that uses DNS to verify the authenticity of the certificates used for securing email communication with TLS and protecting against TLS downgrade attacks. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS."

Anyway, my point is not to dissect the potential value of DANE or theorize how long it'll take for a majority of customer domains to be updated (Microsoft hosts mail for 750,000 of the top ten million domains, and I'm sure many more beyond that). Instead, I want to note how MX records will be updated over time and what you'll have to watch for, if you're looking to denote whether or not an email domain is hosted by Microsoft.

A Microsoft-hosted domain would have previously had an MX record that ended in "mail.protection.outlook.com" -- for example, if I hosted Spam Resource mail using Microsoft service, my MX record would be "spamresource-com.mail.protection.outlook.com." But if/when I were to implement DANE, that MX record would change to look like "spamresource-com.1j2b-v1.mx.microsoft." Microsoft notes that in their example, the "1j2b" bit is randomly assigned, and that you can't attach any significance to it.

They note that the "mail.protection.outlook.com" services will remain operational indefinitely, but starting in March 2024, you'll no longer be able to just assume that the MX record for any Microsoft hosted domain will be under "mail.protection.outlook.com" – domains, as they're upgraded to implement DANE support, will now have MX records under "mx.microsoft." (And yes, ".microsoft" is a valid TLD.)

So, if you're using automation or your eyeballs to look up a domain's MX record to answer the question "is this domain's mail hosted by Microsoft?", you'll need to update your scripts and/or brain to now recognize two possible results, instead of just the one.

April 8, 2024 Update: March 2024 has come and gone and Microsoft is saying that DANE is not quite ready to go: "We regretfully must delay the public preview for Inbound SMTP DANE with DNSSEC from March to May 2024 due to necessary security investments that were identified as part of a Private Preview. This extension allows us the opportunity to further enhance our service's security measures, ensuring we meet the highest standards for our users. We appreciate your understanding and patience as we make these improvements."