IPv6 updates for Exchange Online

Microsoft recently introduced several major updates to IPv6 traffic for Exchange Online. These updates are designed to enhance security, improve performance, and ensure compliance with the latest Internet standards. This blog provides a summary of these changes and their impact on customers.

Outbound IPv6 email

Although IPv6 has been supported for outbound mail for some time, Microsoft wanted to officially announce that Exchange Online now uses IPv6 for email sent. In general, our platform prioritizes IPv6 addresses for outbound email traffic (if supported by the recipient’s server), preferring IPv6 AAAA records over IPv4 A records.

For example, when sending a message to LinkedIn.com, the host name below is returned as an MX record. Each MX record contains a preference value (also called priority), with lower numbers indicating higher priority. The email server will first attempt to deliver messages to the MX host with the lowest preference value. If multiple MX records share the same preference value, the transport server can choose between the MX records based on other factors, such as the availability of IPv6 or IPv4 addresses. This example first tries all IPv6 addresses for hosts mail-a, mail-c, and mail-d (since they share a default setting of 10), then tries their IPv4 addresses, and then goes to mail.linkedin. The default setting for com is 20 higher. IPv4 may still have higher priority in certain scenarios. In these cases, an IPv4 address is used first, then IPv6, and then a lower priority option.

Inbound IPv6 email

Beginning in mid-October and over the next three to six months, we will gradually begin assigning IPv6 addresses to all customer-accepted domains that use Exchange Online for inbound mail, including the *.onmicrosoft.com domain. Customers will receive a Message Center post notifying them of the change before it becomes active in their tenant. With IPv6 enabled, email senders who deliver messages to Exchange Online and query the MX record hostname for a customer’s domain will now receive both IPv4 and IPv6 addresses (A and AAAA records). This modernization helps customers achieve regulatory compliance and benefit from the improved security and performance that IPv6 provides. For most customers, this will be the new default behavior.

In some cases, enabling IPv6 affects the source IP type (IPv4 vs. IPv6) used by senders connecting to Exchange Online because the IP versions must match. Because RFC 5321 does not favor one IP type over another, some senders may transition from IPv4 to IPv6 during this rollout. Sender must have a valid reverse DNS lookup (PTR) record and SPF or DKIM verification is required to ensure smooth mail flow over IPv6.

to a small number of customersIPv6 is not enabled and is automatically unchecked. Describes the rollout of IPv6 for accepted domains. Microsoft is excluding these customers because they rely on IPv4 and introducing IPv6 for these customers could impact mail flow. Correct configuration is essential when enabling IPv6 readiness because incorrectly configuring certain features can disrupt mail flow. If telemetry detects one of the specified configurations listed below in a customer tenant, that tenant will automatically be excluded from IPv6 activation and administrators will be notified of the opt-out status via a Message Center post. To use IPv6, an administrator must manually enable it and ensure that settings are correctly configured for both IPv4 and IPv6.

Customers with the following configuration: will be deselected To ensure that mail flow is not interrupted, at any time during this rollout, tenant administrators can also proactively opt out using PowerShell, as described below.

• Customers Exchange transfer rules (ETR) with: Sender IP range predicate Problems may arise. This can occur when the sender IP for traffic destined for your tenant is IPv6, which causes the ETR to Sender IP range Failure to identify the sender’s IPv4 address affects mail flow to your tenant.
  • Before enabling IPv6: Sender IP range Ensure comprehensive coverage of email traffic affected by Exchange transport rules, including your partner’s IPv6 ranges.
• customers who hire Microsoft Purview Data Loss Prevention (DLP) Policy with Sender IP range Problems can arise with predicates. This can happen when the sender’s IP for traffic destined for your tenant is on IPv6, which causes Sender IP range Failure to identify the sender’s IPv4 address affects mail flow to your tenant.
  • Before enabling IPv6: Update your Microsoft Purview Data Loss Prevention (DLP) policies that use: Sender IP range Ensure comprehensive coverage of email traffic affected by this transport rule, including your partner’s IPv6 ranges.
• Customers IP address-based inbound connector Exchange Online, which references IPv4 addresses, may experience issues if the sender switches to IPv6, which may prevent the connector from matching the sender’s IP and affect mail flow.
  Before enabling IPv6, customers must:
  • We work with senders to ensure they remain connected over IPv4. or
  • Convert an IP-based connector to a certificate domain-based connector. This is an on-premises type (starting with: Your organization’s email serverto: office 365) and partner type connectors (Source: Partner organizationto: office 365).
• Improved filtering for connectors – configured customers Improved filtering for connectors You should review your configuration to ensure that it contains both IPv4 and IPv6 addresses for your specific device. Currently IPv6 entries can only be added through PowerShell.

How to select IPV6 Inbound and check status

To manually select or deselect IPv6 for accepted domains, you can use the Enable/Disable-IPv6ForAcceptedDomain cmdlet with the following: -domain Parameters. For more information about this cmdlet, see: this link.

for example:

Enable-IPv6ForAcceptedDomain -Domain contoso.com
Enable-IPv6ForAcceptedDomain -Domain contoso.onmicrosoft.com
Disable-IPv6ForAcceptedDomain -Domain contoso.com
Disable-IPv6ForAcceptedDomain -Domain contoso.onmicrosoft.com

Customers can use the new domain to check the status of their accepted domain. Get-IPv6StatusForAcceptedDomain command. It may take up to an hour for changes to take effect.

for example:

Get-IPv6StatusForAcceptedDomain -Domain contoso.com 

Microsoft Defender for Office 365: Support for allowing and blocking IPv6 in tenant allow/block list

Administrators can now create allow and block entries for IPv6 directly within the tenant allow/block list within the Defender portal or by using: New TenantAllowBlockListItems cmdlet(list type parameter with the value IP). This change does not currently have any impact. Tenant allow/block list entry or IPv4 entry Hosted connection filter policy or Improved filtering connection policy. This applies to customers with Exchange Online Protection or Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans. IPv4 entries are not yet allowed (coming soon) and there are some entry restrictions. See more details. here.

Customers can add IPv6 allow and block entries in the following format:

• Single IPv6 address in colon-hexadecimal notation (e.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334)
• 0 Compressed single IPv6 address (e.g. 2001:db8::1)
• Classless Interdomain Routing (CIDR) IPv6 (e.g. 2001:0db8::/32) Supported range is 1-128.

IPv6 updates for Exchange Online improve security, performance, and compliance with the latest standards. By prioritizing IPv6 for outbound email and enabling it for inbound mail, Microsoft is helping customers stay ahead of regulatory requirements. Customers should review their configuration to take full advantage of these updates.

Microsoft 365 Messaging Team