External Domain Name System records for Office 365
Want to see a customized list of DNS records for your Office 365 organization? You can find the info you need to create Office 365 DNS records for your domain in Office 365.
Need step-by-step help to add these records at your domain's DNS host, such as GoDaddy or eNom? Find links to step-by-step instructions for many popular DNS hosts.
Sticking around to use the reference list for your own custom deployment? The below list should be used as a reference for your custom Office 365 deployment. You will need to select which records apply to your organization and fill in the appropriate values.
Go back to Network planning and performance tuning for Office 365.
Often the SPF and MX records are the hardest to figure out. We've updated our SPF records guidance at the end of this article. The important thing to remember is that you can only have a single SPF record for your domain. You can have multiple MX records; however, that can cause problems for mail delivery. Having a single MX record that directs email to one mail system removes many potential problems.
The sections below are organized by service in Office 365. To see a customized list of the Office 365 DNS records for your domain, sign in to Office 365 and Gather the information you need to create Office 365 DNS records.
External DNS records required for Office 365 (core services)
The TXT record is needed to prove that you own the domain and is required for all customers.
The CNAME record is only required for customers using Office 365 operated by 21Vianet. It ensures that Office 365 can direct workstations to authenticate with the appropriate identity platform.
|DNS record||Purpose||Value to use||Applies to|
|Used by Office 365 to verify only that you own your domain. It doesn't affect anything else.||Host: @ (or, for some DNS hosting providers, your domain name)
TXT Value: A text string provided by Office 365
The Office 365 domain setup wizard provides the values that you use to create this record.
|Used by Office 365 to direct authentication to the correct identity platform. More information
Note that this CNAME only applies to Office 365 operated by 21Vianet. If present and your Office 365 is not operated by 21Vianet, users on your custom domain will get a "custom domain isn't in our system" error and won't be able to activate their Office 365 license. More information
|21Vianet customers only|
External DNS records required for email in Office 365 (Exchange Online)
Email in Office 365 requires several different records. The three primary records that all customers should use are the Autodiscover, MX, and SPF records.
The Autodiscover record allows client computers to automatically find Exchange and configure the client properly.
The MX record tells other mail systems where to send email for your domain. Note: When you change your email to Office 365, by updating your domain's MX record, ALL email sent to that domain will start coming to Office 365. Do you just want to switch a few email addresses to Office 365? You can Pilot Office 365 with a few email addresses on your custom domain.
The TXT record for SPF is used by recipient email systems to validate that the server sending your email is one that you approve. This helps prevent problems like email spoofing and phishing. See the External DNS records required for SPF in this article to help you understand what to include in your record.
Email customers who are using Exchange Federation will also need the additional CNAME and TXT record listed at the bottom of the table.
|DNS record||Purpose||Value to use|
|Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for users.||Alias: Autodiscover
|Sends incoming mail for your domain to the Exchange Online service in Office 365.
Note: Once email is flowing to Exchange Online, you should remove the MX records that are pointing to your old system.
|Domain: For example, contoso.com
Target email server:<MX token>.mail.protection.outlook.com
Time To Live (TTL) Value: 3600
Preference/Priority: Lower than any other MX records (this ensures mail is delivered to Exchange Online) - for example 1 or 'low'
Find your <MX token> by following these steps:
Sign in to Office 365, go to Office 365 admin > Domains.
In the Action column for your domain, choose Fix issues.
In the MX records section, choose What do I fix?
Follow the directions on this page to update your MX record.
What is MX priority?
|Helps to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain.||External DNS records required for SPF|
|Used for Exchange federation for hybrid deployment.||TXT record 1: For example, contoso.com and associated custom-generated, domain-proof hash text (for example, Y96nu89138789315669824)
TXT record 2: For example, exchangedelegation.contoso.com and associated custom-generated, domain-proof hash text (for example, Y3259071352452626169)
|Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service when your company is using Exchange federation. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for your users.||Alias: For example, Autodiscover.service.contoso.com
External DNS records required for Teams
There are specific steps to take when you use Office 365 URLs and IP address ranges to make sure your network is configured correctly.
These DNS records apply only to tenants in Teams-only mode, for hybrid tenants, see DNS implications for on-premises organizations that become hybrid.
|DNS record||Purpose||Value to use|
|Allows your Office 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation.||Domain: <domain>
Note: If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record.
|It may be needed by Teams-only tenants that use Skype for Business Online phones for Teams.||Domain: <domain>
|Required by Teams-only tenants to support PowerShell cmdlets that still use Skype for Business Online infrastructure for management.||Alias: lyncdiscover.<domain>
External DNS records required for Office 365 Single Sign-On
|DNS record||Purpose||Value to use|
|Host (A)||Used for single sign-on (SSO). It provides the endpoint for your off-premises users (and on-premises users, if you like) to connect to your Active Directory Federation Services (AD FS) federation server proxies or load-balanced virtual IP (VIP).||Target: For example, sts.contoso.com|
External DNS records required for SPF
SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Office 365. To get started, see Use DKIM to validate outbound email sent from your domain in Office 365. Next, see Use DMARC to validate email in Office 365.
SPF records are TXT records that help to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain.
You can only have one SPF record (that is, a TXT record that defines SPF) for your domain. That single record can have a few different inclusions but the total DNS lookups that result can't be more than 10 (this helps prevent denial of service attacks). See the table and other examples below to help you create or update the right SPF record values for your environment.
Structure of an SPF record
All SPF records contain three parts: the declaration that it is an SPF record, the domains, and IP addresses that should be sending email, and an enforcement rule. You need all three in a valid SPF record. Here's an example of a common SPF record for Office 365 when you use only Exchange Online email:
TXT Name @ Values: v=spf1 include:spf.protection.outlook.com -all
An email system that receives an email from your domain looks at the SPF record, and if the email server that sent the message was an Office 365 server, the message is accepted. If the server that sent the message was your old mail system or a malicious system on the Internet, for example, the SPF check might fail and the message wouldn't be delivered. Checks like this help to prevent spoofing and phishing messages.
Choose the SPF record structure you need
For scenarios where you're not just using Exchange Online email for Office 365 (for example, when you use email originating from SharePoint Online as well), use the following table to determine what to include in the value of the record.
If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. Learn how: Set up SPF records in Office 365 to help prevent spoofing. You can also learn much more about how SPF works with Office 365 by reading How Office 365 uses Sender Policy Framework (SPF) to help prevent spoofing.
|Number||If you're using...||Purpose||Add these includes|
|1||All email systems (required)||All SPF records start with this value||v=spf1|
|2||Exchange Online (common)||Use with just Exchange Online||include:spf.protection.outlook.com|
|3||Third-party email system (less common)||include:<email system like mail.contoso.com>|
|4||On-premises mail system (less common)||Use if you're using Exchange Online Protection or Exchange Online plus another mail system||
The value in brackets (<>) should be other mail systems that will send email for your domain.
|5||All email systems (required)||-all|
Example: Adding to an existing SPF record
If you already have an SPF record, you'll need to add or update values for Office 365. For example, say your existing SPF record for contoso.com is this:
TXT Name @ Values: v=spf1 ip4:18.104.22.168 include:smtp.adatum.com -all
Now you're updating your SPF record for Office 365. You'll edit your current record so you have an SPF record that includes the values that you need. For Office 365, "spf.protection.outlook.com".
TXT Name @ Values: v=spf1 ip4:22.214.171.124 include:spf.protection.outlook.com include:smtp.adatum.com -all
Record 1: TXT Name @ Values: v=spf1 ip4:126.96.36.199 include:smtp.adatum.com -all Record 2: Values: v=spf1 include:spf.protection.outlook.com -all
More examples of common SPF values
If you are using the full Office 365 suite and are using MailChimp to send marketing emails on your behalf, your SPF record at contoso.com might look like the following, which uses rows 1, 3, and 5 from the table above. Remember, rows 1 and 5 are required.
TXT Name @ Values: v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
Alternatively, if you have an Exchange Hybrid configuration where email will be sent from both Office 365 and your on-premises mail system, your SPF record at contoso.com might look like this:
TXT Name @ Values: v=spf1 include:spf.protection.outlook.com include:mail.contoso.com -all
These are some common examples that can help you adapt your existing SPF record when you add your domain to Office 365 for email. If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. Learn how: Set up SPF records in Office 365 to help prevent spoofing.
Here's a short link you can use to come back: https://aka.ms/o365edns
Submit and view feedback for