T
The_Exchange_Team
Microsoft has recently introduced several key updates to IPv6 traffic for Exchange Online. These updates are designed to enhance security, improve performance, and ensure compliance with modern Internet standards. This blog provides a summary of these changes and their implications for customers.
Outbound IPv6 Email
Although IPv6 has been supported for outbound mail for some time, we wanted to officially announce that Microsoft now uses IPv6 for email sent from Exchange Online. Generally, our platform prioritizes IPv6 addresses for outbound email traffic (if the recipient server supports it), favoring IPv6 AAAA records over IPv4 A records.
For instance, when sending messages to LinkedIn.com, the hostnames below are returned as MX records. Each MX record includes a preference value (also known as priority), where lower numbers indicate higher priority. Email servers attempt to deliver messages to the MX host with the lowest preference value first. If multiple MX records share the same preference value, the sending servers may choose among them based on other factors, such as the availability of IPv6 or IPv4 addresses. In this example, we first try all the IPv6 addresses for hosts mail-a, mail-c, and mail-d (since they share a preference value of 10), followed by their IPv4 addresses, before moving on to mail.linkedin.com with a higher preference value of 20. Note that in certain scenarios, IPv4 may still be prioritized; in such cases, we would use IPv4 addresses initially, then IPv6, before resorting to the lower priority option.
Inbound IPv6 email
Starting in mid-October, and rolling out over the next 3-6 months, we will begin gradually allocating IPv6 addresses to all customer Accepted Domains that use Exchange Online for inbound mail, including *.onmicrosoft.com domains. Customers will receive Message Center posts notifying them of the change before it is enabled in their tenant. Once IPv6 is enabled, email senders delivering messages into Exchange Online and querying the MX record hostnames for customer domains will now receive both IPv4 and IPv6 addresses (A and AAAA records). This modernization will help our customers comply with regulations and benefit from the enhanced security and performance offered by IPv6. For most customers, this will be the new default behavior.
In some cases, activating IPv6 will affect the source IP type (IPv4 vs IPv6) used by senders connecting to Exchange Online, as the IP versions must match. Since RFC 5321 doesn't favor one IP type over another, some senders might switch from IPv4 to IPv6 during this rollout. Note that senders should have a valid reverse DNS lookup (PTR) record and either SPF or DKIM verification are required for seamless mail flow over IPv6
For a small percentage of our customers, IPv6 will not be activated, and they will be automatically opted out of the IPv6 rollout for their Accepted Domain(s). Microsoft is opting out these customers because they have dependencies on IPv4 and introducing IPv6 for these customers might affect their mail flow. Proper configuration when enabling IPv6-readiness is essential, as misconfiguration of specific features may disrupt mail flow. If our telemetry detects any of the specified configurations listed below in a customer tenant, the tenant will be automatically excluded from IPv6 enablement, and the admin will be notified via a Message Center post of their opt-out status. To use IPv6, admins will need to manually enable it and ensure their setup is configured properly for both IPv4 and IPv6.
Customers with the following configurations will be opted-out during this rollout to avoid any disruptions in mail flow. At any time, a tenant admin can also opt out proactively using PowerShell, as detailed below.
How to opt-in for IPV6 inbound and confirming your status
To manually opt-in or opt-out of IPv6 for your Accepted Domain(s), you can use the Enable/Disable-IPv6ForAcceptedDomain cmdlet with the -Domain parameter. For more details on this cmdlet, refer to this link.
For example:
Enable-IPv6ForAcceptedDomain -Domain contoso.com
Enable-IPv6ForAcceptedDomain -Domain contoso.onmicrosoft.com
Disable-IPv6ForAcceptedDomain -Domain contoso.com
Disable-IPv6ForAcceptedDomain -Domain contoso.onmicrosoft.com
Customers can check the status of their Accepted Domains using the new Get-IPv6StatusForAcceptedDomain command. Note it may take up to an hour for a change to be reflected.
For example:
Get-IPv6StatusForAcceptedDomain -Domain contoso.com
Microsoft Defender for Office 365: IPv6 allow and block support in the Tenant Allow/Block List
Admins can now create allow and block entries for IPv6 directly inside the Tenant Allow/Block List within the Defender portal, or by using the New-TenantAllowBlockListItems cmdlet (ListType parameter with value IP). This change will not affect any current Tenant Allow/Block List entries or IPv4 entries in the hosted connection filter policy or enhanced filtering connection policy. This applies to customers with Exchange Online Protection or Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans. Note that IPv4 entries are not yet allowed (coming soon), and there are some entry limits, please see more detail here.
Customers will be able to add these IPv6 allow and block entries in these formats:
The IPv6 updates for Exchange Online enhance security, performance, and compliance with modern standards. By prioritizing IPv6 for outbound emails and enabling it for inbound mail Microsoft is helping customers stay ahead of regulatory requirements. Customers should review their configurations to fully benefit from these updates.
Microsoft 365 Messaging Team
Continue reading...
Outbound IPv6 Email
Although IPv6 has been supported for outbound mail for some time, we wanted to officially announce that Microsoft now uses IPv6 for email sent from Exchange Online. Generally, our platform prioritizes IPv6 addresses for outbound email traffic (if the recipient server supports it), favoring IPv6 AAAA records over IPv4 A records.
For instance, when sending messages to LinkedIn.com, the hostnames below are returned as MX records. Each MX record includes a preference value (also known as priority), where lower numbers indicate higher priority. Email servers attempt to deliver messages to the MX host with the lowest preference value first. If multiple MX records share the same preference value, the sending servers may choose among them based on other factors, such as the availability of IPv6 or IPv4 addresses. In this example, we first try all the IPv6 addresses for hosts mail-a, mail-c, and mail-d (since they share a preference value of 10), followed by their IPv4 addresses, before moving on to mail.linkedin.com with a higher preference value of 20. Note that in certain scenarios, IPv4 may still be prioritized; in such cases, we would use IPv4 addresses initially, then IPv6, before resorting to the lower priority option.
| Preference | Hostname | IP |
| 10 | mail-a.linkedin.com | 108.174.0.215 |
| 10 | mail-a.linkedin.com | 2620:119:50c0:207::215 |
| 10 | mail-c.linkedin.com | 108.174.3.215 |
| 10 | mail-c.linkedin.com | 2620:109:c006:104::215 |
| 10 | mail-d.linkedin.com | 108.174.6.215 |
| 10 | mail-d.linkedin.com | 2620:109:c003:104::215 |
| 20 | mail.linkedin.com | 108.174.0.215 |
Inbound IPv6 email
Starting in mid-October, and rolling out over the next 3-6 months, we will begin gradually allocating IPv6 addresses to all customer Accepted Domains that use Exchange Online for inbound mail, including *.onmicrosoft.com domains. Customers will receive Message Center posts notifying them of the change before it is enabled in their tenant. Once IPv6 is enabled, email senders delivering messages into Exchange Online and querying the MX record hostnames for customer domains will now receive both IPv4 and IPv6 addresses (A and AAAA records). This modernization will help our customers comply with regulations and benefit from the enhanced security and performance offered by IPv6. For most customers, this will be the new default behavior.
In some cases, activating IPv6 will affect the source IP type (IPv4 vs IPv6) used by senders connecting to Exchange Online, as the IP versions must match. Since RFC 5321 doesn't favor one IP type over another, some senders might switch from IPv4 to IPv6 during this rollout. Note that senders should have a valid reverse DNS lookup (PTR) record and either SPF or DKIM verification are required for seamless mail flow over IPv6
For a small percentage of our customers, IPv6 will not be activated, and they will be automatically opted out of the IPv6 rollout for their Accepted Domain(s). Microsoft is opting out these customers because they have dependencies on IPv4 and introducing IPv6 for these customers might affect their mail flow. Proper configuration when enabling IPv6-readiness is essential, as misconfiguration of specific features may disrupt mail flow. If our telemetry detects any of the specified configurations listed below in a customer tenant, the tenant will be automatically excluded from IPv6 enablement, and the admin will be notified via a Message Center post of their opt-out status. To use IPv6, admins will need to manually enable it and ensure their setup is configured properly for both IPv4 and IPv6.
Customers with the following configurations will be opted-out during this rollout to avoid any disruptions in mail flow. At any time, a tenant admin can also opt out proactively using PowerShell, as detailed below.
- Customers using Exchange Transport Rules (ETR) with the SenderIPRanges predicate might experience issues. This could occur when the sender's IP for traffic to your tenant is IPv6, causing the ETR that relies on the SenderIPRanges predicate to fail in identifying the sender's IPv4 address, thereby impacting mail flow to your tenant.
- Prior to enabling IPv6: Modify your Exchange Transport Rules that use the SenderIPRanges predicate to include the IPv6 ranges of your partners, ensuring comprehensive coverage for email traffic affected by Exchange transport rules.
- Customers employing Microsoft Purview Data Loss Prevention (DLP) Policies with the SenderIPRanges predicate may encounter issues. This could occur when the sender's IP for traffic to your tenant is in IPv6, causing the transport rule that relies on the SenderIPRanges predicate to fail in identifying the sender's IPv4 address, thereby affecting mail flow to your tenant.
- Prior to enabling IPv6: Update your Microsoft Purview Data Loss Prevention (DLP) Policies that use the SenderIPRanges predicate to include the IPv6 ranges of your partners, ensuring comprehensive coverage for the email traffic affected by this transport rule.
- Customers using IP Address-based Inbound Connectors in Exchange Online that reference IPv4 addresses might experience issues if the sender switches to IPv6, causing the connector to fail to match the Sender’s IP and affecting mail flow.
Prior to enabling IPv6, customers should:- Coordinate with the sender to ensure they continue connecting via IPv4; or
- Convert the IP-based connector to a certificate domain-based connector. This applies to both On-Premises type (From: Your organization's email server, To: Office 365) and Partner Type connectors (From: Partner organization, To: Office 365).
- Enhanced Filtering for Connectors – Customers that have configured Enhanced Filtering for Connectors will need to review their configuration to ensure that both IPv4 and IPv6 addresses for their specific devices are included. Note that IPv6 entries can only be added via PowerShell at this time.
How to opt-in for IPV6 inbound and confirming your status
To manually opt-in or opt-out of IPv6 for your Accepted Domain(s), you can use the Enable/Disable-IPv6ForAcceptedDomain cmdlet with the -Domain parameter. For more details on this cmdlet, refer to this link.
For example:
Enable-IPv6ForAcceptedDomain -Domain contoso.com
Enable-IPv6ForAcceptedDomain -Domain contoso.onmicrosoft.com
Disable-IPv6ForAcceptedDomain -Domain contoso.com
Disable-IPv6ForAcceptedDomain -Domain contoso.onmicrosoft.com
Customers can check the status of their Accepted Domains using the new Get-IPv6StatusForAcceptedDomain command. Note it may take up to an hour for a change to be reflected.
For example:
Get-IPv6StatusForAcceptedDomain -Domain contoso.com
Microsoft Defender for Office 365: IPv6 allow and block support in the Tenant Allow/Block List
Admins can now create allow and block entries for IPv6 directly inside the Tenant Allow/Block List within the Defender portal, or by using the New-TenantAllowBlockListItems cmdlet (ListType parameter with value IP). This change will not affect any current Tenant Allow/Block List entries or IPv4 entries in the hosted connection filter policy or enhanced filtering connection policy. This applies to customers with Exchange Online Protection or Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans. Note that IPv4 entries are not yet allowed (coming soon), and there are some entry limits, please see more detail here.
Customers will be able to add these IPv6 allow and block entries in these formats:
- Colon-hexadecimal notation single IPv6 address (for example, 2001:0db8:85a3:0000:0000:8a2e:0370:7334)
- Zero compression single IPv6 address (for example, 2001:db8::1)
- Classless inter-domain routing (CIDR) IPv6 (for example, 2001:0db8::/32). The range supported is 1-128.
The IPv6 updates for Exchange Online enhance security, performance, and compliance with modern standards. By prioritizing IPv6 for outbound emails and enabling it for inbound mail Microsoft is helping customers stay ahead of regulatory requirements. Customers should review their configurations to fully benefit from these updates.
Microsoft 365 Messaging Team
Continue reading...