Support for anonymous inbound email messages over IPv6

Exchange Online Protection (EOP) and Exchange Online support receiving anonymous inbound email messages over IPv6 communications from senders who don't send messages over Transport Layer Security (TLS). You can opt-in to receive messages over IPv6 by requesting this functionality from UNRESOLVED_TOKEN_VAL(exMCSS) by opening the Office 365 admin center at https://portal.office.com/adminportal/home, clicking Support, and then clicking New service request). If you don't opt-in to IPv6 you'll continue to receive messages over IPv4.

Senders who transmit messages to the service over IPv6 must comply with the following two requirements:

  1. The sending IPv6 address must have a valid PTR record (reverse DNS record of the sending IPv6 address).

  2. The sender must pass either SPF verification (defined in RFC 7208) or DKIM verification (defined in RFC 6376).

Meeting these requirements is mandatory regardless of your configuration prior to opting-in to IPv6. If both requirements are met, the message will go through normal email message filtering provided by the service. If one or the other isn't met, the message will be rejected with one of the following 450 responses:

  • 450 4.7.25 Service unavailable, sending IPv6 address [2a01:111:f200:2004::240] must have reverse DNS record.

  • 450 4.7.26 Service unavailable, message sent over IPv6 [2a01:111:f200:2004::240] must pass either SPF or DKIM validation.

If you aren't opted in to receive messages over IPv6 and the sender tries to force a message over IPv6 by manually connecting to the mail server, the message will be rejected with a 550 response that looks similar to the following:

550 5.2.1 Service unavailable, [contoso.com] does not accept email over IPv6.

For more information

Support for validation of DKIM signed messages