DNS records for Office 365 GCC High

This article applies to Office 365 GCC High and Microsoft 365 GCC High

As part of onboarding to Office 365 GCC High, you will need to add your SMTP and SIP domains to your Online Services tenant. You’ll do this using the New-MsolDomain cmdlet in Azure AD PowerShell or use the Azure Government Portal to start the process of adding the domain and proving ownership.

Note

Azure AD Powershell is planned for deprecation on March 30, 2024. To learn more, read the deprecation update.

We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). Microsoft Graph PowerShell allows access to all Microsoft Graph APIs and is available on PowerShell 7. For answers to common migration queries, see the Migration FAQ.

Once you have your domains added to your tenant and validated, use the following guidance to add the appropriate DNS records for the services below. You may need to modify the below table to fit your organization’s needs with respect to the inbound MX record(s) and any existing Exchange Autodiscover record(s) you have in place. We strongly recommend coordinating these DNS records with your messaging team to avoid any outages or mis-delivery of email.

Exchange Online

Type Priority Host name Points to address or value TTL
MX 0 @ tenant.mail.protection.office365.us (see below for more details) One Hour
TXT - @ v=spf1 include:spf.protection.office365.us -all One Hour
CNAME - autodiscover autodiscover.office365.us One Hour

Exchange Autodiscover record

If you have Exchange Server on-premises, we recommend leaving your existing record in place while you migrate to Exchange Online, and update that record once you have completed your migration.

Exchange Online MX Record

The MX record value for your accepted domains follows a standard format as noted above: tenant.mail.protection.office365.us, replacing tenant with the first part of your default tenant name.

For example, if your tenant name is contoso.onmicrosoft.us, you’d use contoso.mail.protection.office365.us as the value for your MX record.

Skype for Business Online

CNAME records

Type Host name Points to address or value TTL
CNAME sip sipdir.online.gov.skypeforbusiness.us One Hour
CNAME lyncdiscover webdir.online.gov.skypeforbusiness.us One Hour

SRV records

Type Service Protocol Port Weight Priority Name Target TTL
SRV _sip _tls 443 1 100 @ sipdir.online.gov.skypeforbusiness.us One Hour
SRV _sipfederationtls _tcp 5061 1 100 @ sipfed.online.gov.skypeforbusiness.us One Hour

Other DNS records

Important

If you have an existing msoid CNAME record in your DNS zone, you must remove the record from DNS at this time. The msoid record is incompatible with Microsoft 365 Enterprise Apps (formerly Office 365 ProPlus) and will prevent activation from succeeding.