Zum Inhalt

Opt-in to Enable or Disable IPv6 in Exchange Online (without DANE)

Starting October 16, 2024, Microsoft will enable IPv6 for all customer Accepted Domains using Exchange Online. This upgrade offers improved security, scalability, and performance by utilizing IPv6.

Organizations need to update their network allow-lists (Firewall) to permit Exchange Online IPv6 endpoints and modify any IP-based inbound connectors referencing IPv4 (Connector, Rules). It is possible to stay with IPv4-only traffic, domains can be opted out over a PowerShell cmdlet. After October 16, if no preference is set, IPv6 will be enabled by default, potentially affecting inbound email traffic.

Enable IPv6 on Domain

If IPv6 is enabled for an accepted domain in Exchange Online, IPv4 and IPv6 addresses are returned in DNS queries for mail flow records of the domain.

Until October 16th this is just available as an Opt-in Feature and you could enable our test domain in Enterprise environments:

  1. Check MX Records
  2. Enable IPv6
  3. Verify DNS Update
  4. Check IPv6 Status
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Connect-ExchangeOnline
Get-AcceptedDomain
#Name                     DomainName               DomainType    Default
#----                     ----------               ----------    -------
#contoso.onmicrosoft.com  contoso.onmicrosoft.com  Authoritative False  
#contoso.com              contoso.com              Authoritative True   
#adatum.com               adatum.com               Authoritative False

Resolve-DnsName -Name "contoso.com" -Type MX | ft -auto
#Name        Type TTL  Section NameExchange                            Preference
#----        ---- ---  ------- ------------                            ----------
#contoso.com MX   3600 Answer  contoso-com.mail.protection.outlook.com 0  

# Resolve-DnsName -Name "contoso-com.mail.protection.outlook.com"
# IPv4 only

Enable-IPv6ForAcceptedDomain -Domain "contoso.com"
# OK

# DNS: 0    contoso-ch.mail.protection.outlook.com  52.101.68.0 Microsoft Corporation (AS8075)
# Waiting... for updated MX Records

Get-IPv6StatusForAcceptedDomain "contoso.com"
# Success Enabled

IPv6 on Domain with DANE (Failed)

In my test with an DANE enabled domain, the opt-in failed and I was not yet able to find a workaround without disable DANE on the domain:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Get-AcceptedDomain

Get-DnssecStatusForVerifiedDomain -DomainName "adatum.com"
#DnssecFeatureStatus : Enabled

Get-SmtpDaneInboundStatus -DomainName "adatum.com" 
#DomainName: 'adatum.com' DomainType: 'Authoritative' SmtpDaneStatus: 'Enabled'

Resolve-DnsName -Name "adatum.com" -Type MX | ft -auto
#Name       Type TTL  Section NameExchange                 Preference
#----       ---- ---  ------- ------------                 ----------
#adatum.com MX   1440 Answer  adatum-com.a-v1.mx.microsoft 0 

Enable-IPv6ForAcceptedDomain -Domain "adatum.com"
# WARNING: Failed to update DNS record for domain adatum.com. Error: Invalid certName .
# WARNING: Failed to update DNS record for domain adatum.com. Errors: ErrorCode:'DnsProvisioningError' | Error Details: 'Unknown DNS provisioning error'.

# DNS: 0    adatum-com.a-v1.mx.microsoft    52.101.68.3 Microsoft Corporation (AS8075)

Get-IPv6StatusForAcceptedDomain "adatum.com"
# Write-ErrorMessage : |Microsoft.M365.Security.CredSMART.M365SecretException|Invalid certName .

Disable-IPv6ForAcceptedDomain "adatum.com"
# Failure

# Resolve-DnsName -Name "adatum.com" -Type MX | ft -auto
# DNS: adatum-com.a-v1.mx.microsoft     52.101.68.12 Microsoft Corporation (AS8075)

#Get-IPv6StatusForAcceptedDomain "contoso.onmicrosoft.com"
# Success Enabled

IPv6 on Domain with DANE (Worked)

Edited 20.10.2024: The opt-in worked in the second try without any additional change.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
Enable-IPv6ForAcceptedDomain -Domain "adatum.com"
# OK

Get-IPv6StatusForAcceptedDomain "adatum.com"
#WARNING: DNS record has unexpected value for domain adatum.com. 
#Expected: /subscriptions/141df24c-da47-4008-b3fd-accf2e303ff1/resourceGroups/DNSSEC_Resources/providers/Microsoft.Network/dnszones/a-v1.mx.microsoft/CNAME/eop-EUR03-v4-anchor, 
#Actual: /subscriptions/141df24c-da47-4008-b3fd-accf2e303ff1/resourceGroups/dnssec_resources/providers/Microsoft.Network/dnszones/a-v1.mx.microsoft/CNAME/eop-EUR03-anchor.

# Get-DnssecStatusForVerifiedDomain -DomainName "adatum.com"
# DnssecFeatureStatus : Enabled

#Get-SmtpDaneInboundStatus -DomainName "adatum.com"
# DomainName: 'adatum.com' DomainType: 'Authoritative' SmtpDaneStatus: 'Enabled'

Resolve-DnsName -Name "adatum.com" -Type MX | ft -auto
# DNS: adatum.com MX   1440 Answer  adatum-com.a-v1.mx.microsoft 0   
Resolve-DnsName -Name "adatum-com.a-v1.mx.microsoft"
# OK (IPv4 & IPv6)

Opt-out and other Considerations

Please use the Disable-IPv6ForAcceptedDomain commands before October 16th, if you are not ready with one of the following points:

  • Network (LAN, WAN) has IPv6 but Exchange Online IPv6 endpoints are not reachable (Blocked by Firewall)
  • SMTP Relay has an IPv6 Address but is not yet added to Exchange Online connector (InboundConnector)
  • SenderIPRanges are used with IPv4 Addresses in Exchange Transport Rules, and it could interfere with your own IPv6 Range (WAN)
  • SenderIPRanges are used with IPv4 Addresses in Data Loss Prevention policies (DLP)
  • Specific IPv6 Ranges need to be added to Tenant Allow/Block List (Defender for Office)

Recommendation: Use 'certificated based' connector over 'ip based'

Exchange Connectors

Summary

If your environment or that of a close partner already has IPv6 enabled, it is advisable to evaluate the impact of enabling IPv6 in Exchange Online. Testing and validation are recommended to ensure no disruptions occur, particularly in scenarios where compliance or security rules rely on IPv4-specific configurations. Enabling IPv6 could lead to certain compliance rules being bypassed or failing, especially in complex enterprise environments.

References: