Home What is 'mx.microsoft'
Post
Cancel

What is 'mx.microsoft'

Table of Contents

What is “mx.microsoft”?

mx.microsoft is the new MX delivery domain for Exchange Online, replacing mail.protection.outlook.com. This change supports the new DNSSEC extensions in Exchange Online. Starting March 2024, new domains added to Microsoft 365 will use the format vanitydomain-com.randomstring.mx.microsoft, where the random string is due to DNSSEC performance limits. Existing domains will not be moved, but to utilize DNSSEC or SMTP DANE, you will need to provision your domain in mx.microsoft.

When you add a new domain (called a vanity domain) to Microsoft 365, it will show you the MX record that you need to add to DNS if you want mail flow to go to Exchange Online for that domain. This was in the form of vanitydomain-com.mail.protection.outlook.com. After March 2024, this will start to change and follow the vanitydomain-com.randomstring.mx.microsoft format. The “randomstring” portion is due to DNSSEC performance limits, so Microsoft will be provisioning several separate DNS zones, and your vanity domain will be provisioned in one of these zones.

Note that the domain ending is not “microsoft.com”; it is .microsoft. This DNS infrastructure is part of moving all Microsoft cloud resources to a single top-level domain – for example, https://cloud.microsoft will let you access the Microsoft 365 portal.

The older mail.protection.outlook.com domains and associated MX records are said not to be going away, though a while ago, Microsoft did close down the older domains that existed before mail.protection.outlook.com, so we cannot say never is never. But at this time, only new domains will be provisioned at mx.microsoft, and older domains will not be moved. Your existing MX records will keep working.

If you want to make use of DNSSEC or SMTP DANE security measures on your inbound email, you will need to have your domain provisioned in mx.microsoft, and there will be a process for doing this after March 2024.

Roadmap

Target dates for upcoming roadmap items are:

  • August 2024 – Inbound SMTP DANE with DNSSEC and MTA-STS report in the Exchange admin center
  • October 2024 – General Availability of Inbound SMTP DANE with DNSSEC
  • End of 2024
    • Deploying Inbound SMTP DANE with DNSSEC for all Outlook domains
    • Transition provisioning of mail records for all newly created Accepted Domains into DNSSEC-enabled infrastructure underneath *.mx.microsoft
  • February 2025 – Mandatory Outbound SMTP DANE, set per-tenant/per-remote domain
https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbound-smtp-dane-with-dnssec-for-exchange-online/ba-p/3939694
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-public-preview-of-inbound-smtp-dane-with-dnssec-for/ba-p/4155257
This post is licensed under CC BY-SA 4.0 by David Marker