Microsoft’s new email security standards, including MTA-STS, TLS-RPT, DANE, and DNSSEC, are redefining how organizations protect email in transit.
These protocols enforce encrypted delivery, validate sender authenticity, and provide reporting that helps identify delivery issues. Together, they reduce the risk of interception, downgrade attacks, and spoofing.
Microsoft’s shift to new MX records enables these inbound protections. Only properly authenticated and encrypted messages are accepted, improving trust and deliverability.
In this episode of Demystifying Microsoft podcast, Nathan Taylor (SVP, Global Microsoft Practice Leader at Sourcepass MCOE) discusses Microsoft’s latest email security updates and their real-world impact.
The conversation explains how MTA-STS enforces encrypted delivery and how TLS-RPT provides visibility into delivery failures. It also covers how DANE with DNSSEC work together to bind TLS certificates to your domain. Migrating to Microsoft’s new MX records makes it possible to enforce these protections on inbound mail, supporting stronger authentication and encryption standards.
MTA-STS, or Mail Transfer Agent Strict Transport Security, requires email sent from your domain to use TLS encryption. If a secure connection cannot be established, the message is not delivered.
This prevents downgrade and man-in-the-middle attacks and ensures email is only delivered over encrypted connections.
TLS-RPT provides domain owners with reports when email delivery fails due to TLS or MTA-STS issues. These reports are delivered in JSON format and explain where and why failures occur.
With this visibility, organizations can identify configuration issues quickly and improve mail flow reliability.
DNSSEC digitally signs DNS records to prevent tampering and spoofing. DANE uses those signed record to associate TLS certificates directly with your domain.
Together, these technologies help ensure that only valid, trust certificates are accepted during encrypted email delivery.
Microsoft’s move from protection.outlook.com to mx.microsoft enables inbound support for MTA-STS and DANE. This change allows organizations to enforce stricter security policies for incoming email.
As a result, email authentication improves, encryption becomes enforceable, and sender reputation is strengthened.
Email security requires ongoing attention, proper configuration, and regular review. Standards like MTA-STS, TLS-RPT, DNSSEC, and DANE help enforce encrypted delivery, strengthen authentication, and provide insight into mail flow issues before they disrupt operations.
Migrating to Microsoft’s new MX records unlocks inbound protections that support compliance and improve trust across the email ecosystem. Ongoing security awareness training and periodic assessments help organizations stay ahead of evolving threats.
If you have questions about deploying these protocols, auditing DNS configurations, or performing a security assessment, Sourcepass MCOE can help. Our team supports authentication configurations, security optimization, and alignment with current Microsoft best practices.
Subscribe to the Demystifying Microsoft podcast for continued insights, or connect with a Sourcepass MCOE expert to schedule a Microsoft 365 email security assessment.
Explore the rest of the series:
Part 2: Fix Email Delivery and Spoofing with Better DNS Security
Part 3: Email Security Best Practices with Microsoft Defender and EasyDMARC