Microsoft has introduced per-connector configuration options for SMTP DANE and MTA-STS validation in Exchange Online outbound connectors, giving administrators precise control over email transport security. The new settings, available in the Exchange admin center under mail flow > connectors, allow organizations to balance strict security enforcement with operational flexibility for specific email routes.

What SMTP DANE and MTA-STS Actually Do

SMTP DANE (DNS-Based Authentication of Named Entities) and MTA-STS (Mail Transfer Agent Strict Transport Security) are complementary protocols designed to prevent email interception and tampering during transmission. DANE uses DNSSEC to publish TLS certificates in DNS records, allowing sending servers to verify that they're connecting to the legitimate receiving server. MTA-STS establishes a policy requiring TLS encryption for email delivery between participating domains.

When both protocols are properly implemented, they create a robust defense against man-in-the-middle attacks that could intercept sensitive email communications. Microsoft has supported these standards in Exchange Online for inbound mail since 2021, but the new per-connector controls specifically address outbound email routing.

The New Configuration Options

Administrators now have three configuration options for each outbound connector:

  • Disabled: The connector will not perform DANE or MTA-STS validation
  • Enabled: The connector will validate DANE and MTA-STS policies and fail delivery if validation fails
  • Opportunistic: The connector will attempt validation but deliver email even if validation fails

This granularity represents a significant improvement over the previous all-or-nothing approach. Organizations can now apply strict security requirements to connectors handling sensitive communications (like financial or healthcare data) while using more lenient settings for less critical email routes.

Why Per-Connector Control Matters

The previous implementation required organizations to choose between maximum security (which could break email delivery to domains with misconfigured security) or reduced security (which increased vulnerability). This binary choice created practical problems for enterprises with diverse email communication needs.

Consider a financial institution that needs strict security for communications with banking partners but also sends marketing emails to thousands of small businesses with varying technical capabilities. With per-connector controls, they can create separate connectors with different security postures rather than compromising security or risking delivery failures.

Implementation Considerations

Microsoft recommends starting with \"Opportunistic\" mode for most connectors to identify potential delivery issues before moving to stricter enforcement. The company's documentation emphasizes that proper implementation requires both sending and receiving domains to have correctly configured DNS records and TLS certificates.

For DANE to work effectively, receiving domains must have TLSA records published in their DNS with proper DNSSEC signing. MTA-STS requires receiving domains to publish a policy file at a specific HTTPS endpoint and have a corresponding DNS TXT record. Many organizations struggle with these technical requirements, which explains why Microsoft provides the flexible configuration options.

Real-World Impact on Email Delivery

The community response highlights practical concerns about email delivery reliability. One administrator reported that after enabling strict DANE validation, approximately 3% of their outbound emails to financial institutions failed due to misconfigured TLSA records on the receiving end. Another noted that small businesses and educational institutions were particularly likely to have incomplete MTA-STS implementations.

These experiences underscore why the per-connector approach is valuable. Organizations can now maintain strict security for well-configured partners while avoiding delivery failures to less technically sophisticated correspondents. The \"Opportunistic\" setting serves as a useful middle ground, attempting secure delivery but falling back to standard TLS when security validation fails.

Configuration Best Practices

Microsoft provides specific guidance for implementing these controls effectively:

  1. Audit existing email flows: Identify which connectors handle sensitive communications versus general correspondence
  2. Test with Opportunistic mode: Deploy the new settings in monitoring mode to identify potential delivery issues
  3. Communicate with partners: Work with frequent email correspondents to ensure their DANE and MTA-STS implementations are correct
  4. Monitor delivery reports: Watch for increased NDRs or delays after changing security settings
  5. Implement gradually: Change settings for one connector at a time rather than all simultaneously

The Broader Email Security Landscape

These enhancements arrive as email security threats continue to evolve. Business email compromise (BEC) attacks cost organizations billions annually, and intercepted communications remain a significant risk. SMTP DANE and MTA-STS address specific vulnerabilities in the email transport layer that traditional security measures often miss.

Microsoft's implementation aligns with broader industry trends toward stricter email authentication. DMARC adoption has grown significantly in recent years, and now DANE and MTA-STS represent the next layer of transport security. Organizations that implement these protocols comprehensively make their email ecosystems significantly more resistant to interception and spoofing attacks.

Technical Requirements and Limitations

To benefit from these controls, organizations need Exchange Online Plan 1 or higher. The features work with all outbound connector types, including partner connectors and connectors to on-premises Exchange servers. However, they only apply to SMTP email transport—other protocols like EWS or Microsoft Graph API use different security mechanisms.

It's important to note that these controls only affect outbound email from Exchange Online. Inbound email security continues to use the organization-wide settings configured separately. This asymmetry reflects the reality that organizations have more control over their outbound security posture than over how other organizations handle incoming mail.

Looking Ahead: Email Security Evolution

Microsoft's introduction of granular controls suggests the company recognizes that one-size-fits-all security doesn't work for complex enterprise environments. As more organizations adopt DANE and MTA-STS, we can expect further refinements to these controls based on real-world usage patterns.

The next logical step would be conditional policies based on message content or recipient domains. Imagine automatically applying strict DANE validation to emails containing specific keywords or destined for certain industries while using opportunistic mode for others. Such intelligence-driven security would represent the natural evolution of today's connector-based controls.

For now, Exchange Online administrators have a powerful new tool to balance security and deliverability. The key is thoughtful implementation—matching security settings to business requirements rather than applying maximum security everywhere. Organizations that take the time to configure these controls appropriately will achieve better security outcomes without sacrificing email reliability.

As email remains the primary business communication channel for most organizations, transport-layer security continues to gain importance. Microsoft's per-connector approach provides the flexibility enterprises need to secure their communications effectively in a world where not all email correspondents have equal technical capabilities.