Letter to Microsoft DANE and IPv6
Content
Vergadering: Forum Standaardisatie 8 februari 2023
Agendapunt: FS-20230208.5B2
Documentnummer: 5B2
Download hier de PDF versie van dit vergaderstuk. Wij kunnen de digitale toegankelijkheid van het PDF bestand niet garanderen.
Rechten: CC0 publieke domein verklaring
Date: 2 January 2023
Concerning: Lack of support of DANE and IPv6 on Exchange Online
Dear Ms den Ouden,
We would like to address two issues regarding security and reachability of Microsoft Exchange Online and the impossibility to use international standards that Dutch government organizations are obliged to use1. Note that these standards are also actively promoted on an EU level.2
DANE (secure mail transport)
Although Microsoft has implemented DANE support for outgoing mail, Microsoft still does not support DANE for incoming mail via Exchange Online. Already in 2019 'Strategie Vendor Management Microsoft, Google Cloud and Amazon Web Services' for the central Dutch government (abbreviated in Dutch: SLM) in conjunction with the Netherlands Standardisation Forum addressed the lack of support of this international standard.3
Microsoft originally announced that DANE on Exchange Online for incoming mail was to be fully implemented by year end 2021.4 We were unpleasantly surprised to find out that the deadline for implementation has again moved; now to July 2023.5
The lack of DANE support lately has gatten attention in the press6 and parliament7 because the latest monitor! of the Netherlands Standardisation Forum showed disappointing figures. Most of the email providers for the Dutch government support DANE and over 50% of the government domains is DANE enabled.
However, mainly because Exchange Online does not offer support yet, still toa many government domains are lagging and are not protected with DANE.
In the meantime, the international adoption of DANE keeps on growing. The number of DANE enabled domains has more than tripled since late 2019. Besides we are in touch with several other EU governments, like Germany, Czech Republic and Estonia, who have an active policy on mandating/promoting DANE.
Therefore, we urge Microsoft to commit unconditionally to the now planned and communicated deadline of July 2023.
IPv6 (reachability)
All government websites and government e-mail domains must be fully accessible via IPv6 in addition to IPv4. In 2021 we talked with your organization on enabling IPv6 per default on all these domains. After agreeing a procedure9, Microsoft later differed from that agreement by stating it cannot make changes without individual change request. Microsoft mentioned there is an opt-in process in place. However, our experience with this process is not satisfactory.
We would like to invite you to agree with us on a specific process for Dutch government organizations to be available during a certain timeframe (no later than Q2 2023) that caters to our needs. Both Microsoft, SLM and the Netherlands Standardisation Forum will communicate the availability of this process in a shared effort to create awareness and help as many organizations as possible that haven't implemented IPv6 yet to do so by use of this special process.
We look forward to receiving your written response no later than Friday January 20th 2023.
Kind regards,
[handtekeningen verwijderd]
Henrique Barnard
Strategie Vendor Management
Microsoft, Google Cloud and Amazon Web Services for the Dutch Central Government
Larissa Zegveld
Chair
Netherlands Standardisation Forum
1 Comply or explain list: https://www.forumstandaardisatie.nl/open-standaarden/verplicht
2 https://mecsa.jrc.ec.europa.eu/en/technical and https://ec.europa.eu/internet-standards/
5 https://www.microsoft.com/en-qb/microsoft-365/roadmap?featureid=63213
7 https://www.tweedekamer.nl/kamerstukken/kamervraqen/detail?id= 2022223575&did= 2022D50834
8 https://forumstandaardisatie.n1/nieuws/streefbeeld-ipv6-adoptie-overheid-noq-nietgehaaId