Microsoft Message ID

microsoftmessageid

January 30, 2026

Microsoft Announcement

Microsoft Message ID: MC1220759 – 2026-01-22 | MTA-STS and SMTP DANE mode on connectors

💡 Our Technical Review in summary

Summary

Microsoft is introducing granular administrative control over Outbound MTA-STS (Mail Transfer Agent Strict Transport Security) and SMTP DANE (DNS-based Authentication of Named Entities) for Exchange Online outbound connectors.
This update allows organizations to define how strictly Exchange Online validates these security protocols when sending mail to external domains via specific connectors.
The feature is scheduled for rollout between late February 2026 and late March 2026.

Impact

Control Levels: Admins can now choose between three distinct enforcement modes for each outbound connector:
- Opportunistic (Default): Exchange Online attempts validation but delivers the message even if the destination does not support the protocols. This maintains current service behavior.
- None: Disables validation entirely. This reduces security by making the connector vulnerable to downgrade attacks and MX redirection/spoofing.
- Mandatory: Strictly enforces SMTP DANE and DNSSEC. If the destination’s validation fails or is unsupported, the mail will be queued rather than delivered.
Security Posture: Organizations requiring high-assurance delivery can now mandate DANE/DNSSEC, while those experiencing interoperability issues can bypass validation.
No Immediate Change: Since “Opportunistic” is the default and matches existing behavior, there will be no immediate impact on mail flow for organizations that do not modify their settings.

Action Required

Evaluate Connector Requirements: Review your existing outbound connectors to determine if any specific partner integrations require “Mandatory” DANE enforcement for compliance or security reasons.
Review Documentation: Keep an eye out for updated Microsoft technical documentation and PowerShell cmdlet updates closer to the February 2026 release date to understand how to toggle these modes.
Testing for Mandatory Mode: If you plan to implement “Mandatory” mode for specific connectors, ensure the recipient domains have correctly configured DNSSEC and DANE records to prevent delivery failures.
No Action Needed: If you are satisfied with the current “Opportunistic” behavior, no configuration changes are necessary.

Microsoft Official Update

Service: N/A
Category: stayInformed
Severity: normal

[Introduction]

This feature provides admin’s control over Outbound MTA-STS and SMTP DANE validations for emails sent over outbound connectors in Exchange Online, allowing organizations to choose how strictly the service enforces MTA-STS and SMTP DANE when sending mail to external domains.

Admins will be able to configure each outbound connector to use the following modes:

Opportunistic [default], applies to both MTA-STS and SMTP DANE. Opportunistic Mode means Exchange Online will attempt to perform validations for both MTA-STS and SMTP DANE but still sends the message if the destination doesn’t support either protocol.
None, which applies to both MTA-STS and SMTP DANE and disables the validation entirely, therefore reducing the security of emails sent over that connector by removing MTA-STS and/or SMTP DANE protections designed to prevent downgrade attacks and spoofed MX redirection.
Mandatory, applies only to SMTP DANE and enforces full SMTP DANE and DNSSEC validation, requiring the destination to support Inbound SMTP DANE with DNSSEC and queueing mail if the validation does not succeed.

[When this will happen]

General Availability (Worldwide): We will begin rolling out in late February 2026 and expect to complete by late March 2026.

[How this will affect your organization]

Connectors will default to Opportunistic Mode. Opportunistic Mode is already the default behavior for Exchange Online outbound connectors.

[What you need to do to prepare]

If you do not want to change the MTA-STS and/or SMTP DANE validation behavior for your outbound connectors, there is no action you need to take and you can ignore this post.

If you do want to change the MTA-STS and/or SMTP DANE validation behavior for your outbound connectors, review the documentation on this feature which will be updated and provided in this post prior to release.

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Microsoft Message ID

Microsoft Message ID: MC1220759 – 2026-01-22 | MTA-STS and SMTP DANE mode on connectors

💡 Our Technical Review in summary

Summary

Impact

Action Required

Microsoft Official Update

(Cannot update. Database or object is read-only) error in a query against a linked SharePoint view if there are unlinked lookup fields in Access – Microsoft 365 Apps

"Cannot Copy This Folder Because It May Contain Private Items" Error – Outlook

0x80004005 General Error Unable to Open Registry Key – Microsoft 365 Apps

0x800ccc80 error when sending mail from Outlook – Outlook

A connector does not move when you move a shape in Microsoft Word – Microsoft 365 Apps

(Cannot update. Database or object is read-only) error in a query against a linked SharePoint view if there are unlinked lookup fields in Access – Microsoft 365 Apps

"Cannot Copy This Folder Because It May Contain Private Items" Error – Outlook

0x80004005 General Error Unable to Open Registry Key – Microsoft 365 Apps

0x800ccc80 error when sending mail from Outlook – Outlook

(Cannot update. Database or object is read-only) error in a query against a linked SharePoint view if there are unlinked lookup fields in Access – Microsoft 365 Apps

"Cannot Copy This Folder Because It May Contain Private Items" Error – Outlook

0x80004005 General Error Unable to Open Registry Key – Microsoft 365 Apps