Best practices for verifying a business domain with Microsoft services

Question

Best practices for verifying a business domain with Microsoft services

Clear Water Pool Service Inc 40

Hello,

I’m trying to better understand the recommended process for verifying a business domain when setting up Microsoft-related services.

What are the most common DNS verification methods used (TXT, CNAME, etc.), and what troubleshooting steps should I check if verification takes longer than expected?

Also, are there common mistakes that typically cause verification failures?

Any advice or Microsoft documentation recommendations would be appreciated. Thanks!

Aarnav Raipancholia 0 Reputation points

2026-06-05T08:17:33.42+00:00
Verifying a business domain for Microsoft services (like Microsoft 365, Azure, or Intune) is a critical step to prove ownership and enable services.

Common DNS Verification Methods

Microsoft primarily uses two DNS record types for domain verification:

TXT Record (Most Common)

How it works: You add a specific text string provided by Microsoft to your domain's DNS settings.

Why use it: It's the standard method for most Microsoft 365 and Azure AD tenant verifications. It doesn't interfere with existing email or website routing.

Example Value: MS=ms12345678

CNAME Record
- **How it works:** You create a CNAME record that points to a specific Microsoft domain. - **Why use it:** Sometimes required for specific scenarios (like verifying a domain for SharePoint or certain legacy setups) or if your DNS provider has limitations with TXT records. - **Note:** Using a CNAME for verification can sometimes interfere with other services if not configured carefully.

Troubleshooting: Verification Takes Too Long

If you've added the record and Microsoft says it "could not find the record," try these steps:

Wait for Propagation: DNS changes can take anywhere from a few minutes to 48 hours to propagate globally, though it's usually under an hour.

Check the Record Type: Ensure you selected the correct type (e.g., TXT vs CNAME) in your DNS host.

Verify the Name/Host:

For the root domain, the hostname is often @ or left blank (depending on your provider).

For subdomains, ensure you entered the full prefix correctly.

Check the Value: Copy and paste the verification string directly. Do not add extra spaces or quotes unless they are part of the required string.

Use a DNS Lookup Tool: Use a public tool (like nslookup, dig, or online checkers like MxToolbox, to see if the record is visible publicly from outside your network.

Command: nslookup -type=txt yourdomain.com

Browser Cache: Sometimes, the Microsoft admin portal caches the "failed" status. Try refreshing the page or waiting 15 minutes before retrying the verification button.

Common Mistakes Causing Failures

Adding to the Wrong Zone: If you manage multiple domains or subdomains, ensure you are editing the DNS zone for the exact domain you are trying to verify (e.g., contoso.com vs mail.contoso.com).

Duplicate Records: Having multiple TXT records for the same hostname with different values (unless your DNS provider supports this explicitly) can cause conflicts.

Trailing Dots: Some DNS providers require a trailing dot (.) at the end of the domain name (e.g., @.), while others do not. Check your provider's specific syntax requirements.

Conflicting CNAMEs: You cannot have a CNAME record at the root level (@If you also have other records (like A records) for that same name. This is a common DNS protocol restriction.

Typographical Errors: A single missing character in the MS=... value will cause immediate failure.

Recommended Microsoft Documentation

For the most up-to-date, step-by-step guides specific to your service, refer to these official Microsoft Learn pages:

Verify your domain for Microsoft 365: Microsoft Learn - Verify your domain

Add a domain to Azure AD: Microsoft Learn - Add a custom domain name

DNS Troubleshooting: Microsoft Learn - Troubleshoot domain verification issues. Verifying a business domain for Microsoft services (like Microsoft 365, Azure, or Intune) is a critical step to prove ownership and enable services. Here’s a breakdown of the common methods, troubleshooting tips, and pitfalls to avoid.

Common DNS Verification Methods

Microsoft primarily uses two DNS record types for domain verification:

TXT Record (Most Common)

- **How it works:** You add a specific text string provided by Microsoft to your domain's DNS settings. - **Why use it:** It's the standard method for most Microsoft 365 and Azure AD tenant verifications. It doesn't interfere with existing email or website routing. - **Example Value:** `MS=ms12345678` **CNAME Record** - **How it works:** You create a CNAME record that points to a specific Microsoft domain. - **Why use it:** Sometimes required for specific scenarios (like verifying a domain for SharePoint or certain legacy setups) or if your DNS provider has limitations with TXT records. - **Note:** Using a CNAME for verification can sometimes interfere with other services if not configured carefully. ### Troubleshooting: Verification Takes Too Long If you've added the record and Microsoft says it "could not find the record," try these steps: - **Wait for Propagation:** DNS changes can take anywhere from a few minutes to 48 hours to propagate globally, though it's usually under an hour. - **Check the Record Type:** Ensure you selected the correct type (e.g., `TXT` vs `CNAME`) in your DNS host.

Verify the Name/Host:

For the root domain, the hostname is often @ or left blank (depending on your provider).

For subdomains, ensure you entered the full prefix correctly.

Check the Value: Copy and paste the verification string directly. Do not add extra spaces or quotes unless they are part of the required string.

Use a DNS Lookup Tool: Use a public tool (like nslookup, dig, or online checkers like MxToolbox,t o see if the record is visible publicly from outside your network.
- *Command:* `nslookup -type=txt yourdomain.com`

Browser Cache: Sometimes, the Microsoft admin portal caches the "failed" status. Try refreshing the page or waiting 15 minutes before retrying the verification button.

Common Mistakes Causing Failures

Adding to the Wrong Zone: If you manage multiple domains or subdomains, ensure you are editing the DNS zone for the exact domain you are trying to verify (e.g., contoso.com vs mail.contoso.com).

Duplicate Records: Having multiple TXT records for the same hostname with different values (unless your DNS provider supports this explicitly) can cause conflicts.

Trailing Dots: Some DNS providers require a trailing dot (.) at the end of the domain name (e.g., @.), while others do not. Check your provider's specific syntax requirements.

Conflicting CNAMEs: You cannot have a CNAME record at the root level (@If you also have other records (like A records) for that same name. This is a common DNS protocol restriction.

Typographical Errors: A single missing character in the MS=... value will cause immediate failure.

Recommended Microsoft Documentation

For the most up-to-date, step-by-step guides specific to your service, refer to these official Microsoft Learn pages:

Verify your domain for Microsoft 365: Microsoft Learn - Verify your domain

Add a domain to Azure AD: Microsoft Learn - Add a custom domain name

DNS Troubleshooting: Microsoft Learn - Troubleshoot domain verification issues
Shubham Sharma 17,160 Reputation points Microsoft External Staff Moderator

2026-06-05T09:49:23.6866667+00:00

Clear Water Pool Service Inc

Thank you for reaching out to Microsoft Q&A.

Based on your description, if you are unable to verify your custom domain in your Entra ID tenant, even after correctly adding the TXT records in your domain provider side.

This issue often occurs when the domain has already been verified in another Entra directory, as explained in the following document: Common verification issues

To resolve this, the recommended approach is to contact the Microsoft Data Protection team. You can reach them by calling Microsoft Customer Service using the phone numbers listed here: https://support.microsoft.com/en-us/topic/customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2

Answer accepted by question author

0 additional answers

Your answer

Shubham Sharma 17,160 Reputation points Microsoft External Staff Moderator

2026-06-05T09:49:23.6866667+00:00

Clear Water Pool Service Inc

Thank you for reaching out to Microsoft Q&A.

Based on your description, if you are unable to verify your custom domain in your Entra ID tenant, even after correctly adding the TXT records in your domain provider side.

This issue often occurs when the domain has already been verified in another Entra directory, as explained in the following document: Common verification issues

To resolve this, the recommended approach is to contact the Microsoft Data Protection team. You can reach them by calling Microsoft Customer Service using the phone numbers listed here: https://support.microsoft.com/en-us/topic/customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2

Answer 1

For Microsoft 365 and Microsoft Entra ID, the primary and recommended DNS verification method is a TXT record. Other record types (such as MX or CNAME) may be used in specific services, but TXT is the standard for proving domain ownership.

Common verification methods

TXT record (primary method)

Microsoft 365 / Entra ID provides a TXT value (for example, starting with MS=) that must be added at the domain’s DNS host.
This TXT record is used only to verify ownership and does not affect other services.
Typical steps:
- In the Microsoft 365 admin center, go to Settings > Domains.
- Add or select the domain and choose Start setup.
- Copy the “Destination” or “Points to address” value.
- At the DNS host, create a TXT record at the root (often host name @ or blank, depending on the DNS tool) with that value.
- Wait ~15 minutes, then return to the admin center and select Verify.

MX record (alternate method in some flows)

In some scenarios, Microsoft may allow verification via MX record instead of TXT.
The MX record is also provided by Microsoft and must be added exactly as given.

Windows-based DNS

For on-premises Windows DNS, the same TXT-based verification is used:
- In DNS Manager, create a TXT record at the zone root.
- Ensure the host name is blank if the UI would otherwise append the parent domain incorrectly.

Best practices and troubleshooting if verification is slow or failing

Confirm the TXT value is exact

Ensure the full value from Microsoft is copied, including the MS= prefix where present.
Any missing characters, extra spaces, or truncation will cause verification to fail.

Ensure the record is actually saved and published

Some DNS providers require an extra step (such as “Save zone” or “Apply changes”) after adding the record.
If the zone file is not saved, Microsoft 365 cannot see the record.

Check DNS propagation and authoritative DNS

DNS changes typically take about 15 minutes but can take longer.
Use an authoritative DNS lookup tool to confirm the record exists:
- Query the TXT record for the domain using an authoritative lookup.
- If the expected TXT value is not returned, the record is either missing, misconfigured, or not yet published.
For domains whose nameservers point to Microsoft 365 (for example, ns1.bdm.microsoftonline.com etc.), verification TXT records must be created in Microsoft 365 DNS, not only at the registrar. Azure and other Microsoft services validate against the authoritative DNS zone.

Verify the correct host name

For root-domain verification, the TXT record is usually created at the zone root:
- Host name often @ or blank, depending on DNS UI.
- Avoid entering the full domain name in the host field if the tool already appends the zone name.

Wait an appropriate amount of time

Although 15 minutes is typical, some DNS hosts or TTL settings can cause delays of up to a few hours.
If verification fails immediately, wait and retry later before changing the record.

Use the Microsoft 365 domains troubleshooter

In Microsoft 365 admin center:
- Go to Setup > Domains.
- Check the Status column and use “Check health” to see any DNS issues.
- The troubleshooter will list missing or incorrect records and the exact values required.

Use domain-specific instructions

When adding a domain, use the “See instructions for performing this step with” drop-down and choose “General instructions” or a specific DNS host to ensure the correct record format.

Common mistakes that cause verification failures

Incorrect TXT value

Omitting the MS= prefix.
Typographical errors or extra characters.
Copying only part of the value.

Wrong DNS zone or provider

Adding the TXT record at the registrar while the domain’s nameservers point elsewhere (for example, to Microsoft 365 or another DNS host).
Adding the record in a subdomain zone instead of the main domain.

Record not saved or not applied

Failing to publish or save the zone after adding the record.

Wrong host name

Using @ when the DNS tool expects a blank host name, or vice versa, resulting in a TXT record at the wrong FQDN.
Creating the TXT record under a subdomain (for example, verify.contoso.com) when Microsoft expects it at contoso.com.

Conflicting or multiple verification attempts

Changing the TXT value before Microsoft has completed verification.
Using outdated instructions or values from a previous verification attempt.

Domain already in another tenant

Microsoft Entra ID does not allow the same domain to be verified in more than one tenant.
If the domain is already verified in another tenant, it must be removed from that tenant before being added again.

Domain hygiene considerations

Use a reputable registrar and keep domain registration current.
Regularly review TXT records for accuracy and tampering, especially after domain expiry or transfer.
If a domain is intentionally expired or transferred, remove it from the Microsoft Entra tenant first.
A domain cannot be verified in more than one Microsoft Entra tenant at the same time.

If verification continues to fail after confirming the TXT record via authoritative lookup and waiting for propagation, contact Microsoft 365 or Office 365 Support for tenant-specific investigation.

References:

Share via

Best practices for verifying a business domain with Microsoft services

Common DNS Verification Methods

Troubleshooting: Verification Takes Too Long

Common Mistakes Causing Failures

Recommended Microsoft Documentation

Common DNS Verification Methods

Common Mistakes Causing Failures

Recommended Microsoft Documentation

0 additional answers

Your answer