I don’t know why 6 years and over 6500 votes isn’t enough to get DNSSEC in Azure DNS, but if someone here hasn’t voted (like it appears to do much good), they can vote on the Microsoft request to add DNSSEC to Azure DNS here: https://feedback.azure.com/d365community/idea/d403899e-8526-ec11-b6e6-000d3a4f0789

Pretty crappy for this new feature to be completely locked out from people using Microsoft’s OWN DNS infrastructure since they can’t be bothered to enable it after several years of people demanding support. I thought when they finally announced DNSSEC/DANE support was coming that it would be contingent up on their own offering being able to support it on the DNS side. Sad to see their shortsightedness on the issue and inability to prioritize.

That depends on your partner. If their mail systems are configured to insist on communicating with servers that support DANE/DNSSEC and your system does not, email mightfail.

No. This is an Exchange Online implementation of DNSSEC and DANE.

My reading is that Exchange will route everything as normal to the third-party service and leave it to that service to decide if the target destination domain is OK.

Nice article, so how is Outbond DANE handled if you have a third party email gateway in front of the MS tenant. Our third party actually sends the email out for our Tenant. How is DANE TLSA handled in this case since the third party actually sends the email. I don’t have DANE setup on the third party email gateway either by the way. (which is TrendMicros)