External Domain Name System records for Microsoft 365
Want to see a customized list of DNS records for your Microsoft 365 organization? You can find the info you need to create Microsoft 365 DNS records for your domain in Microsoft 365.
Need step-by-step help to add these records at your domain's DNS host, such as GoDaddy or eNom? Find links to step-by-step instructions for many popular DNS hosts.
Sticking around to use the reference list for your own custom deployment? The following list should be used as a reference for your custom Microsoft 365 deployment. You need to select which records apply to your organization and fill in the appropriate values.
Go back to Network planning and performance tuning for Microsoft 365.
Often the SPF and MX records are the hardest to figure out. We've updated our SPF records guidance at the end of this article. The important thing to remember is that you can only have a single SPF record for your domain. You can have multiple MX records; however, that can cause problems for mail delivery. Having a single MX record that directs email to one mail system removes many potential problems.
The following sections are organized by service in Microsoft 365. To see a customized list of the Microsoft 365 DNS records for your domain, sign in to Microsoft 365 and Gather the information you need to create Microsoft 365 DNS records.
External DNS records required for Microsoft 365 (core services)
The TXT record is needed to prove that you own the domain and is required for all customers.
The CNAME record is only required for customers using Microsoft 365 operated by 21Vianet. It ensures that Microsoft 365 can direct workstations to authenticate with the appropriate identity platform.
DNS record | Purpose | Value to use | Applies to |
---|---|---|---|
TXT (Domain verification) |
Used by Microsoft 365 to verify only that you own your domain. It doesn't affect anything else. | Host: @ (or, for some DNS hosting providers, your domain name) TXT Value: A text string provided by Microsoft 365 The Microsoft 365 domain setup wizard provides the values that you use to create this record. |
All customers |
CNAME (Suite) |
Used by Microsoft 365 to direct authentication to the correct identity platform. More information Note that this CNAME only applies to Microsoft 365 operated by 21Vianet. If present and your Microsoft 365 isn't operated by 21Vianet, users on your custom domain get a "custom domain isn't in our system" error and aren't able to activate their Microsoft 365 license. More information |
Alias: msoid Target: clientconfig.partner.microsoftonline-p.net.cn |
21Vianet customers only |
External DNS records required for email in Microsoft 365 (Exchange Online)
Email in Microsoft 365 requires several different records. The three primary records that all customers should use are the Autodiscover, MX, and SPF records.
The Autodiscover record allows client computers to automatically find Exchange and configure the client properly.
The MX record tells other mail systems where to send email for your domain. Note: When you change your email to Microsoft 365, by updating your domain's MX record, ALL email sent to that domain starts coming to Microsoft 365. Do you just want to switch a few email addresses to Microsoft 365? You can Pilot Microsoft 365 with a few email addresses on your custom domain.
The TXT record for SPF is used by recipient email systems to validate that the server sending your email is one that you approve. This helps prevent problems like email spoofing and phishing. See the External DNS records required for SPF in this article to help you understand what to include in your record.
Email customers who are using Exchange Federation need the extra CNAME and TXT record listed at the bottom of the table.
DNS record | Purpose | Value to use |
---|---|---|
CNAME (Exchange Online) |
Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for users. | Alias: Autodiscover Target: autodiscover.outlook.com |
MX (Exchange Online) |
Sends incoming mail for your domain to the Exchange Online service in Microsoft 365. Note: Once email is flowing to Exchange Online, you should remove the MX records that are pointing to your old system. |
Domain: For example, contoso.com Target email server:<MX token>.mail.protection.outlook.com Time To Live (TTL) Value: 3600 Preference/Priority: Lower than any other MX records (this ensures mail is delivered to Exchange Online) - for example 1 or 'low' Find your <MX token> by following these steps: Sign in to Microsoft 365, go to Microsoft 365 admin > Domains. In the Action column for your domain, choose Fix issues. In the MX records section, choose What do I fix? Follow the directions on this page to update your MX record. What is MX priority? |
SPF (TXT) (Exchange Online) |
Helps to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain. | External DNS records required for SPF |
TXT (Exchange federation) |
Used for Exchange federation for hybrid deployment. | TXT record 1: For example, contoso.com and associated custom-generated, domain-proof hash text (for example, Y96nu89138789315669824) TXT record 2: For example, exchangedelegation.contoso.com and associated custom-generated, domain-proof hash text (for example, Y3259071352452626169) |
CNAME (Exchange federation) |
Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service when your company is using Exchange federation. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for your users. | Alias: For example, Autodiscover.service.contoso.com Target: autodiscover.outlook.com |
External DNS records required for Teams
There are specific steps to take when you use Microsoft 365 URLs and IP address ranges to make sure your network is configured correctly.
These DNS records apply only to tenants in Teams-only mode, for hybrid tenants, see DNS implications for on-premises organizations that become hybrid.
DNS record | Purpose | Value to use |
---|---|---|
SRV (Federation) |
Allows your Microsoft 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation. | Domain: <domain> Service: sipfederationtls Protocol: TCP Priority: 100 Weight: 1 Port: 5061 Target: sipfed.online.lync.com Note: If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record. |
External DNS records required for Microsoft 365 Single Sign-On
DNS record | Purpose | Value to use |
---|---|---|
Host (A) | Used for single sign-on (SSO). It provides the endpoint for your off-premises users (and on-premises users, if you like) to connect to your Active Directory Federation Services (AD FS) federation server proxies or load-balanced virtual IP (VIP). | Target: For example, sts.contoso.com |
External DNS records required for SPF
Important
SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Microsoft 365. To get started, see Use DKIM to validate outbound email sent from your domain in Microsoft 365. Next, see Use DMARC to validate email in Microsoft 365.
SPF records are TXT records that help to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain.
You can only have one SPF record (that is, a TXT record that defines SPF) for your domain. That single record can have a few different inclusions but the total DNS lookups that result can't be more than 10 (this helps prevent denial of service attacks). See the table and other examples below to help you create or update the right SPF record values for your environment.
Structure of an SPF record
All SPF records contain three parts: the declaration that it's an SPF record, the domains, and IP addresses that should be sending email, and an enforcement rule. You need all three in a valid SPF record. Here's an example of a common SPF record for Microsoft 365 when you use only Exchange Online email:
TXT Name @
Values: v=spf1 include:spf.protection.outlook.com -all
An email system that receives an email from your domain looks at the SPF record. If the email server that sent the message was a Microsoft 365 server, the message is accepted. If the server that sent the message was your old mail system or a malicious system on the Internet, for example, the SPF check might fail and the message wouldn't be delivered. Checks like this help to prevent spoofing and phishing messages.
Choose the SPF record structure you need
For scenarios where you're not just using Exchange Online email for Microsoft 365 (for example, when you use email originating from SharePoint Online as well), use the following table to determine what to include in the value of the record.
Note
If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. For more information, see Set up SPF records in Microsoft 365 to help prevent spoofing.
Number | If you're using... | Purpose | Add these includes |
---|---|---|---|
1 | All email systems (required) | All SPF records start with this value | v=spf1 |
2 | Exchange Online (common) | Use with just Exchange Online | include:spf.protection.outlook.com |
3 | Third-party email system (less common) | include:<email system like mail.contoso.com> | |
4 | On-premises mail system (less common) | Use if you're using Exchange Online Protection or Exchange Online plus another mail system | ip4:<0.0.0.0> ip6:< : : > include:<mail.contoso.com> The value in brackets (<>) should be other mail systems that send email for your domain. |
5 | All email systems (required) | -all |
Example: Adding to an existing SPF record
If you already have an SPF record, you need to add or update values for Microsoft 365. For example, say your existing SPF record for contoso.com is the following:
TXT Name @
Values: v=spf1 ip4:60.200.100.30 include:smtp.adatum.com -all
Now you're updating your SPF record for Microsoft 365. You edit your current record so you have an SPF record that includes the values that you need. For Microsoft 365, "spf.protection.outlook.com".
Correct:
TXT Name @
Values: v=spf1 ip4:60.200.100.30 include:spf.protection.outlook.com include:smtp.adatum.com -all
Incorrect:
Record 1:
TXT Name @
Values: v=spf1 ip4:60.200.100.30 include:smtp.adatum.com -all
Record 2:
Values: v=spf1 include:spf.protection.outlook.com -all
More examples of common SPF values
If you're using the full Microsoft 365 suite and are using MailChimp to send marketing emails on your behalf, your SPF record at contoso.com might look like the following, which uses rows 1, 3, and 5 from the preceding table. Remember, rows 1 and 5 are required.
TXT Name @
Values: v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
Alternatively, if you have an Exchange Hybrid configuration where email is sent from both Microsoft 365 and your on-premises mail system, your SPF record at contoso.com might look like this:
TXT Name @
Values: v=spf1 include:spf.protection.outlook.com include:mail.contoso.com -all
These are some common examples that can help you adapt your existing SPF record when you add your domain to Microsoft 365 for email. If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you have a more detailed SPF record to set up. Learn how: Set up SPF records in Microsoft 365 to help prevent spoofing.
Here's a short link you can use to come back: https://aka.ms/o365edns