Support for anonymous inbound email messages over IPv6
Applies to: Exchange Online Protection
Topic Last Modified: 2014-06-17
Exchange Online Protection (EOP) and Exchange Online support receiving anonymous inbound email messages over IPv6 communications from senders who don’t send messages over Transport Layer Security (TLS). You can opt-in to receive messages over IPv6 by requesting this functionality from Microsoft technical support (sign in to the Office 365 admin center, go to Support, and then click New service request). If you don’t opt-in to IPv6 you’ll continue to receive messages over IPv4.
Senders who transmit messages to the service over IPv6 must comply with the following two requirements:
-
The sending IPv6 address must have a valid PTR record (reverse DNS record of the sending IPv6 address).
-
The sender must pass either SPF verification (defined in RFC 7208) or DKIM verification (defined in RFC 6376).
Meeting these requirements is mandatory regardless of your configuration prior to opting-in to IPv6. If both requirements are met, the message will go through normal email message filtering provided by the service. If one or the other isn’t met, the message will be rejected with one of the following 554 responses, and the sending email server may not retry sending the message over IPv4.
554 5.7.1 Service unavailable, sending IPv6 address [2a01:111:f200:2004::240] must have reverse DNS record
554 5.7.1 Service unavailable, message sent over IPv6 [2a01:111:f200:2004::240] must pass either SPF or DKIM validation (message not signed)
If you aren’t opted in to receive messages over IPv6 and the sender tries to force a message over IPv6 by manually connecting to the mail server, the message will be rejected with a 550 response that looks similar to the following:
550 5.2.1 Service unavailable, [contoso.com] does not accept email over IPv6
