Enhancing mail flow security for Exchange Online
Protecting your incoming and outgoing emails is a top priority for us, which is why we are always working to mail flow encryption. With the new security vulnerabilities constantly being uncovered, and communication privacy being in the spotlight now more than ever, we seek to upgrade our service to only use the most secure Transport Layer Security (TLS)-based encryption available. In the last year, we have made various changes to our service, and your mail has never been more secure. You can find out more about how we use TLS to secure your emails by reading, ?How Exchange Online uses TLS to secure email connections in Office 365.?
TLS 1.2 support added
Towards the end of last year, we rolled out support for TLS 1.2 and, as a result, we now offer the best-in-class industry encryption for email traveling to and from our service?as long as the other party also offers . TLS 1.2 connections now account for around 60% of all TLS connections to and from Exchange Online. All mail between our data centers is encrypted with TLS 1.2 using the most secure cipher suit we support.
This change also adds TLS 1.2 support for browsing to the Exchange Online Protection Admin site.
New cipher suite order
We also updated the cipher order, used by our servers to conduct TLS negotiations, to include more secure cipher suites and prioritize Perfect Forward Secrecy (PFS). Just over 75 percent of all inbound TLS connections and 50 percent of all outbound TLS connections are now protected by PFS. The new cipher suite order can be seen below.
The first four cipher suites provide PFS security. For all cipher suite pairs, the stronger key strength is preferred. AES is preferred to 3DES and RC4, which are provided for legacy support but will be removed in future.
?The Information Protection team