Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 domains and DNS setup

The DNS records every Microsoft 365 tenant needs — and what each one does.

Adding a custom domain to a Microsoft 365 tenant takes a handful of DNS records. Most of them are non-negotiable for mail to flow and clients to autoconfigure. Skipping any of them tends to produce subtle problems that take longer to diagnose than to fix up front.

The required records

For a tenant using yourcompany.com as the primary domain:

Domain ownership

  • TXT record at the apex: MS=ms12345678 (the value Microsoft generates during domain verification). Used only for the initial verification; you can leave it in place or remove it after verification.

Mail flow

  • MX record at the apex pointing to yourcompany-com.mail.protection.outlook.com. (priority 0).
  • SPF TXT record at the apex: v=spf1 include:spf.protection.outlook.com -all. Hard-fail (-all) is best practice once you've confirmed all legitimate senders are included.

Anti-spoofing

  • DKIM CNAMEs:

    • selector1._domainkey.yourcompany.comselector1-yourcompany-com._domainkey.yourcompany.onmicrosoft.com.
    • selector2._domainkey.yourcompany.comselector2-yourcompany-com._domainkey.yourcompany.onmicrosoft.com. Then enable DKIM signing in the Defender for Office 365 portal.

  • DMARC TXT record at _dmarc.yourcompany.com: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com. Start at p=none (reporting only), move to p=quarantine, then p=reject once you're confident.

Autodiscover (Outlook)

  • CNAME at autodiscover.yourcompany.comautodiscover.outlook.com.. Used by Outlook and other clients to find their mailbox server settings.

Teams (Skype legacy CNAMEs)

Two CNAMEs still relevant for Teams federation and some scenarios:

  • lyncdiscover.yourcompany.comwebdir.online.lync.com.
  • sip.yourcompany.comsipdir.online.lync.com.

Two SRV records for SIP:

  • _sip._tls.yourcompany.comsipdir.online.lync.com. port 443 weight 1 priority 100.
  • _sipfederationtls._tcp.yourcompany.comsipfed.online.lync.com. port 5061 weight 1 priority 100.

(These are increasingly optional for cloud-only Teams, but federation with some external systems still uses them.)

Optional but useful

  • MTA-STS policy at _mta-sts.yourcompany.com plus a policy file — enforces TLS for inbound mail.
  • TLS-RPT record at _smtp._tls.yourcompany.com — reporting endpoint for TLS failures.
  • BIMI record at default._bimi.yourcompany.com — shows your brand logo in supported email clients (Gmail, Apple Mail) once DMARC is p=quarantine or stricter.

DNS hosted at Microsoft

For tenants without an existing DNS provider, Microsoft can host the domain DNS for you — the records above are pre-populated automatically. For most established organisations, your existing DNS provider (Cloudflare, AWS Route 53, GoDaddy, etc.) is fine; Microsoft generates the records and you add them.

Verifying the setup

After publishing the records:

  • MXToolbox or dmarcian verify SPF, DKIM, DMARC.
  • The Microsoft 365 admin center verifies domain ownership.
  • Outlook Autodiscover Tester (Microsoft Remote Connectivity Analyzer) verifies autodiscover.
  • A test email from outside your tenant should land cleanly and pass SPF/DKIM/DMARC.

Get the DNS right once, document it, and forget about it. Get it wrong, and you'll be debugging delivery problems for months.