![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 73%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
For Microsoft 365 / Microsoft Entra ID, TXT-based DNS verification is the primary and recommended method.
1. Recommended verification method
For adding a custom domain to Microsoft 365 / Entra ID, the standard and preferred method is:
- TXT record (domain verification)
- Purpose: Proves ownership of the domain only; it does not affect mail flow or other services.
- Required for all customers.
- Typical format (values are provided by Microsoft 365 during setup):
- Host / Name:
@(or the domain name, depending on DNS host) - TXT value: A unique text string provided by Microsoft 365.
- Host / Name:
This is explicitly described as the domain verification record and is required for all customers.
Alternative methods supported in Microsoft 365 (if TXT is not possible):
- MX record verification – Also added at the DNS host; must be given a high priority value so it does not interfere with existing email routing.
- Verification file on website – A small text file placed at the root of the domain’s website (for example,
http://mydomain.com/ms########.txt). Microsoft verifies ownership by retrieving this file.
TXT remains the default and most broadly recommended approach because it is simple, non-disruptive, and supported by all DNS providers.
2. Typical verification time
- After adding the TXT (or MX) record, Microsoft 365 guidance states:
- It can take about 10–15 minutes for DNS changes to take effect.
- Some DNS providers may require up to 48 hours for full propagation.
- In the admin center, after adding the record at the registrar, the workflow is:
- Go to Settings > Domains.
- Select the domain and choose Start setup.
- Proceed to Verify.
- Microsoft queries DNS for the TXT (or MX) record and completes verification when it is visible.
3. Troubleshooting when the domain does not validate
If the domain stays in “validating” or “processing” for longer than expected:
- Confirm the record is in the authoritative DNS zone
- Ensure the TXT record is created where the domain’s authoritative name servers are hosted.
- If the domain’s NS records point to Microsoft 365 name servers (for example,
ns1.bdm.microsoftonline.cometc.), then any TXT verification record must be created in Microsoft 365 DNS, not only at the registrar. Records added at a non-authoritative provider are ignored.
- Verify record values exactly match Microsoft’s instructions
- Host/Name:
- Use
@or leave blank if required by the DNS UI, or use the domain name if that is how the provider expects it.
- Use
- TXT value:
- Copy/paste the exact string from the Microsoft 365 domain setup wizard. Any typo, extra space, or missing character will cause verification to fail.
- Host/Name:
- Allow for DNS propagation and retry
- Wait at least 15–30 minutes, then retry Verify in the Microsoft 365 admin center.
- If the previous TTL was long or the DNS provider is slow, allow up to 48 hours.
- Use external DNS lookup tools
- Use public DNS checkers (for example, “What’s My DNS” or similar) to confirm that the TXT record is visible globally for the domain.
- If the record does not appear, re-check that it was saved correctly and not overridden by another record.
- Avoid conflicting or incorrect records
- Ensure there is only one TXT verification record for that specific Microsoft 365 verification token.
- For MX-based verification, ensure the MX record is added exactly as specified and with a high priority number so it does not interfere with existing mail routing.
- Re-run the wizard after corrections
- Once the TXT/MX record is confirmed correct and visible, return to Settings > Domains in the Microsoft 365 admin center and select Verify again.
- If still failing after propagation window
- Use the Microsoft 365 admin center’s domain troubleshooting guidance: Find and fix issues after adding your domain or DNS records.
- Confirm that the domain is not already attached to another tenant (if it is, it must be removed there first before being added to a new tenant).
4. Summary recommendation
- Use TXT record verification as the default method.
- Expect verification within 10–15 minutes, but allow up to 48 hours in edge cases.
- If verification fails, validate that the TXT record is:
- In the authoritative DNS zone for the domain.
- Exactly matching the value provided by Microsoft 365.
- Propagated (visible via public DNS tools).
- Then retry verification from the Microsoft 365 admin center.
References:
- External Domain Name System records for Microsoft 365
- Create DNS records for Microsoft using Windows-based DNS
- Add a custom domain to Microsoft 365
- Connect your DNS records at Network Solutions to Microsoft 365
- Connect your DNS records at web.com to Microsoft 365
- Connect your DNS records at 123-reg.co.uk to Microsoft 365