mx.microsoft is the new MX delivery domain for Exchange Online. For years now it has been mail.protection.outlook.com, but this domain will not work with the new DNSSEC extensions that Exchange Online will start to support.
When you added a new domain (called a vanity domain) to Microsoft 365, it would show you the MX record that you needed to add to DNS if you wanted mail flow to go to Exchange Online for that domain. This was in the form of vanitydomain-com.mail.protection.outlook.com. After March 2024 this will start to change, and will follow the format of vanitydomain-com.randomstring.mx.microsoft. The “randomstring” portion is due to DNSSEC performance limits and so Microsoft will be provisioning a number of seperate DNS zones and your vanity domain will be provisioned in one of these zones.
Note that the domain ending is not “microsoft.com”, it is “microsoft”. This DNS infrastructure is part of moving all Microsoft cloud resources to a single top-level domain – for example https://cloud.microsoft will let you access the Microsoft 365 portal.
The older mail.protection.outlook.com domains and associated MX records are said not to be going away, though a while ago Microsoft did close down the older domains that existed before mail.protection.outlook.com and so we cannot say never is never. But at this time, only new domains will be provisioned at mx.microsoft and older domains will not be moved. Your existing MX records will keep working.
If you want thought to make use of DNSSEC or SMTP DANE security measures on your inbound email you will need to have your domain provisioned in mx.microsoft, and there will be a process for doing this after March 2024.
Image by DALL-E-3
Leave a Reply