Introducing PostScale -- email API for transactional, inbound, and masked addresses. PostScale

    Email & TLSBeginner

    Microsoft 365 DNS Setup

    Set up Microsoft 365 DNS records on DNScale: domain verification, Exchange Online MX, Autodiscover, SPF, DKIM, DMARC, and migration checks.

    Start freeBrowse guides

    Answer snapshot

    Microsoft 365 DNS setup starts in the Microsoft 365 admin center because several values are tenant-specific. Add the TXT verification record shown by Microsoft, publish the Exchange Online MX target shown in the domain wizard, add Autodiscover CNAME, publish one SPF TXT record such as `v=spf1 include:spf.protection.outlook.com -all` when Exchange Online is your only sender, add the two DKIM CNAMEs from Defender or PowerShell, then roll out DMARC gradually.

    What you'll learn

    • Verify a custom domain for Microsoft 365 using DNS
    • Route inbound mail to Exchange Online
    • Publish Autodiscover, SPF, DKIM, and DMARC records
    • Avoid tenant-specific DKIM and MX copy/paste mistakes
    • Validate Microsoft 365 email DNS before and after migration

    Microsoft 365 uses DNS to verify your domain, route Exchange Online mail, connect Outlook clients, sign outgoing mail, and enforce anti-spoofing policy.

    Use this guide when DNScale hosts the authoritative DNS zone for a domain you are adding to Microsoft 365.

    Official Microsoft references:

    Record Checklist

    Microsoft 365 values are tenant-specific. Copy exact values from the Microsoft 365 admin center or Defender portal.

    PurposeTypeNameValue
    Domain verificationTXT@Exact TXT value shown by Microsoft 365
    Exchange Online inbound mailMX@Exact <MX-token>.mail.protection.outlook.com value shown by Microsoft
    Outlook AutodiscoverCNAMEautodiscoverautodiscover.outlook.com
    SPFTXT@v=spf1 include:spf.protection.outlook.com -all if Exchange Online is the only sender
    DKIM selector 1CNAMEselector1._domainkeyExact target shown in Defender portal or PowerShell
    DKIM selector 2CNAMEselector2._domainkeyExact target shown in Defender portal or PowerShell
    DMARCTXT_dmarcStart with v=DMARC1; p=none; rua=mailto:dmarc@example.com

    Do not manually invent the MX token or DKIM CNAME targets. Microsoft changes formats over time and returns the correct values for your tenant.

    1. Add and Verify the Domain

    In Microsoft 365 admin center:

    1. Go to Settings > Domains.
    2. Add the custom domain.
    3. Choose manual DNS setup if Domain Connect is not used.
    4. Copy the verification TXT record.

    Create it in DNScale:

    Type: TXT
Name: @
Content: <exact-value-from-microsoft>
TTL: 3600

    Many Microsoft verification values look like:

    MS=ms12345678

    Use the exact value shown in your tenant.

    Verify:

    dig TXT example.com +short

    Then return to Microsoft 365 admin center and complete verification.

    2. Route Mail to Exchange Online

    Microsoft shows your domain's MX target in the domain setup wizard. It usually follows this pattern:

    <MX-token>.mail.protection.outlook.com

    Create the MX record:

    Type: MX
Name: @
Priority: 0
Target: <exact-mx-target-from-microsoft>
TTL: 3600

    Some DNS interfaces use priority 0; others prefer 1. The important point is that the Microsoft 365 MX has the highest priority. Lower numbers are higher priority for MX.

    Before changing MX:

    • create Microsoft 365 users and mailboxes
    • plan migration from the old mail provider
    • lower old MX TTLs ahead of time when possible
    • decide whether mail will cut over all at once or in phases

    After changing MX:

    dig MX example.com +short
dig MX example.com @1.1.1.1 +short
dig MX example.com @8.8.8.8 +short

    Remove old provider MX records once Exchange Online should receive all new mail.

    3. Add Autodiscover

    Autodiscover helps Outlook clients find Exchange Online.

    Type: CNAME
Name: autodiscover
Target: autodiscover.outlook.com
TTL: 3600

    Verify:

    dig CNAME autodiscover.example.com +short

    4. Publish SPF

    If Exchange Online is the only sender:

    Type: TXT
Name: @
Content: v=spf1 include:spf.protection.outlook.com -all
TTL: 3600

    If the domain also sends through other systems, merge every sender into one SPF record:

    v=spf1 include:spf.protection.outlook.com include:amazonses.com include:servers.mcsv.net -all

    Do not create multiple SPF records. Microsoft documents the single-SPF-record rule and the 10-DNS-lookup limit.

    Verify:

    dig TXT example.com +short

    Read SPF Record Explained before adding many senders.

    5. Enable DKIM

    Microsoft 365 DKIM setup is tenant-specific.

    Use either:

    • Defender portal: Email authentication settings > DKIM
    • Exchange Online PowerShell:
    Get-DkimSigningConfig -Identity example.com |
  Format-List Name,Enabled,Status,Selector1CNAME,Selector2CNAME

    Create the two CNAME records Microsoft gives you:

    Type: CNAME
Name: selector1._domainkey
Target: <Selector1CNAME from Microsoft>
TTL: 3600
    Type: CNAME
Name: selector2._domainkey
Target: <Selector2CNAME from Microsoft>
TTL: 3600

    Microsoft's current DKIM format for new custom domains can include a dynamically assigned partition character under dkim.mail.microsoft. Older domains can use the older onmicrosoft.com target format. Do not guess which one your tenant uses; copy the exact values from Microsoft.

    Verify:

    dig CNAME selector1._domainkey.example.com +short
dig CNAME selector2._domainkey.example.com +short

    After DNS resolves, return to Defender portal and enable DKIM signing for the domain.

    6. Roll Out DMARC

    For custom domains, publish DMARC in DNS.

    Start with monitoring:

    Type: TXT
Name: _dmarc
Content: v=DMARC1; p=none; pct=100; rua=mailto:dmarc@example.com
TTL: 3600

    After reports show legitimate mail passes SPF or DKIM alignment, move to quarantine:

    v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com

    Then reject:

    v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com

    Microsoft recommends a gradual rollout for active custom domains. This matters if CRMs, ticketing systems, ecommerce tools, scanners, or on-premises systems send mail using your domain.

    Verify:

    dig TXT _dmarc.example.com +short

    DNScale API Example

    Use the API for repeatable onboarding:

    curl -X POST "https://api.dnscale.eu/v1/zones/$ZONE_ID/records" \
  -H "Authorization: Bearer $DNSCALE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "autodiscover",
    "type": "CNAME",
    "content": "autodiscover.outlook.com.",
    "ttl": 3600
  }'

    For many domains, prefer Terraform, DNSControl, or a reviewed automation workflow. See DNS Automation.

    Migration Checklist

    Before MX cutover:

    • Domain is verified in Microsoft 365.
    • Users and mailboxes exist.
    • Migration/coexistence plan is clear.
    • Existing MX TTL is lowered and aged out.
    • Microsoft 365 MX target is copied from the admin center.
    • Autodiscover CNAME is ready.
    • SPF includes every legitimate sender.
    • DKIM CNAMEs are published and signing is enabled.
    • DMARC starts in monitoring mode.

    After MX cutover:

    • dig MX returns the intended Microsoft 365 target.
    • External inbound test mail arrives in Exchange Online.
    • Outbound mail passes SPF, DKIM, and DMARC.
    • Autodiscover works for Outlook clients.
    • DMARC aggregate reports do not show unknown senders.

    Common Mistakes

    Guessing DKIM targets

    Do not build DKIM targets from examples. Microsoft has old and new formats, and the correct values are tenant-specific.

    Creating a second SPF record

    Merge Microsoft and other senders into one SPF record.

    Leaving old MX records active

    Mixed MX records can send mail to the previous provider. Keep old MX only as part of a deliberate transition plan.

    Enforcing DMARC before DKIM is working

    Microsoft 365 can sign mail with DKIM only after the selector CNAMEs are published and DKIM is enabled. Do that before p=quarantine or p=reject.

    Related Guides

    Frequently asked questions

    Where do I get Microsoft 365 DNS values?
    Use Microsoft 365 admin center under Settings > Domains > your domain > DNS records. MX and DKIM values are tenant-specific, so copy the exact values from Microsoft instead of constructing them by hand.
    What SPF record should I use for Exchange Online only?
    Microsoft's common Exchange Online-only SPF value is `v=spf1 include:spf.protection.outlook.com -all`. If other systems send mail for the domain, include them in the same SPF record.
    What is the Autodiscover record?
    For Exchange Online, publish a CNAME named `autodiscover` pointing to `autodiscover.outlook.com` so Outlook clients can find the right service automatically.
    How many DKIM records does Microsoft 365 need?
    Microsoft 365 uses two DKIM CNAME selectors: `selector1._domainkey` and `selector2._domainkey`. The target values must come from Defender portal or Exchange Online PowerShell.
    Should I keep my old MX record?
    Only during a planned transition. Once Microsoft 365 should receive all new mail, remove old provider MX records or ensure the Microsoft 365 MX has the highest priority.
    Does Microsoft 365 manage DMARC for my custom domain?
    No. For custom domains, publish the DMARC TXT record at your DNS host. Start at `p=none`, review reports, then move toward `quarantine` and `reject`.

    Related guides

    Ready to manage your DNS with confidence?

    DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.

    Start free