Plan the DNS record requirements for a custom domain

Completed

After the Microsoft 365 setup wizard has verified the organization owns the custom domain, the administrator should add other DNS records to the custom DNS zone. These records should enable the organization’s clients to locate Microsoft 365 services. Each DNS zone can contain several different DNS record types that provide differing name resolution services.

  • If the organization hosts its own external DNS server, then a DNS administrator should add the necessary DNS records to provide client connectivity to Office 365 services.
  • If a DNS provider hosts the organization’s DNS zone, then administrators should add the necessary DNS records through the appropriate management console that the DNS provider has created. Some DNS providers, such as GoDaddy, provide automated DNS record configuration for Microsoft 365. This design saves organizations from having to manually create their DNS records for Microsoft 365. Organizations may also select the option to have Microsoft 365 configure and host the DNS records.

Microsoft 365 uses the following subset of DNS records, each of which is examined in the following sections:

  • DNS records for Exchange Online
  • DNS records for Skype for Business Online
  • DNS records for Mobile Device Management for Microsoft 365

DNS records for Exchange Online

DNS records for Exchange Online include:

  • MX. This record is a requirement for SMTP communication between Exchange Online in Microsoft 365 and mail servers on the Internet.
  • CNAME. Outlook clients use this record to locate the Autodiscover service in Microsoft 365.
  • TXT. This record is a requirement for Sender Policy Framework (SPF) anti-spam protection and for organizations that use federation.

The following table identifies the requirements for the MX and CNAME records for Exchange Online.

Type

Priority

Host name

Points to address

TTL

MX

0

@

Adatum-com.mail.protection.outlook.com

One Hour

CNAME

-

autodiscover

autodiscover.outlook.com

One Hour

The following table identifies the requirements for the TXT records for Exchange Online.

Type

TXT name

TXT Value

TTL

TXT

@

v=spf1 include:spf.protection.outlook.com -all

One Hour

TXT

@

Custom-generated, domain-proof hash text

One Hour

DNS records for Skype for Business Online

DNS records for Skype for Business Online include:

  • SRV. This record is used for SIP federation where a Microsoft 365 domain shares instant messaging (IM) features with external clients. An SRV record is also used to coordinate the flow of communication between Skype for Business clients.
  • CNAME. CNAME records are used by Skype for Business desktop clients and mobile clients to find the Skype for Business Online service in Microsoft 365 and sign in.

The following table identifies the requirements for the SRV records for Skype for Business Online.

Type

Service

Protocol

Port

Weight

Priority

TTL

Name

Target

SRV

_sip

_tls

443

1

100

One Hour

@

sipdir.online.lync.com

SRV

_sipfederationtls

_tcp

5061

1

100

One Hour

@

sipfed.online.lync.com

The following table identifies the requirements for the CNAME records for Skype for Business Online.

Type

Host name

Points to address

TTL

CNAME

sip

sipdir.online.lync.com

One Hour

CNAME

lyncdiscover

webdir.online.lync.com

One Hour

The DNS record for Office 365 Single Sign-On is an Address (A) record. The record is used where organizations need single sign-on (SSO) with Active Directory Federation Services (AD FS). The record provides the endpoint for on-premises and external users to connect to organizational Web Application Proxy servers or load-balanced virtual IP addresses.

The following table identifies the requirements for the Address (A) record for Microsoft 365 Single Sign-On.

Type

Host name

Points to address

TTL

Host (A)

sip

sipdir.online.lync.com

One Hour

DNS records for Mobile Device Management for Microsoft 365

The DNS records for Mobile Device Management for Microsoft 365 include:

  • CNAME for manage.microsoft.com. When Microsoft 365 users sign in on their mobile devices with an email address, this setting is used to redirect them to enroll in MDM for Microsoft 365.
  • CNAME for enterpriseregistration.windows.net. This setting is used for workplace join for mobile devices.

The following table identifies the requirements for the CNAME records for Mobile Device Management for Microsoft 365.

Type

Host name

Points to address

TTL

CNAME

enterpriseregistration

enterpriseregistration.windows.net

One Hour

CNAME

enterpriseenrollment

enterpriseenrollment.manage.microsoft.com

One Hour

The DNS record for Microsoft Online Services Sign-In Assistant is a CNAME record. This record is used during the authentication process by client applications, such as Outlook, Skype for Business Online, Windows PowerShell, and the Microsoft Azure Active Directory Sync tool. Microsoft 365 uses this record to connect clients to the appropriate authentication endpoint, depending on the client location.

The following table identifies the requirements for the CNAME record for Microsoft Online Services Sign-In Assistant.

Type

Host name

Points to address

TTL

CNAME

msoid

clientconfig.microsoftonline-p.net

One Hour

The following diagram shows how an organization only needs to configure pointers to Microsoft 365 to use their custom domain names in Microsoft 365.

diagram shows how an organization only needs to configure pointers to Microsoft 365 to use their custom domain names in Microsoft 365

Additional reading. For more information, see External Domain Name System records for Microsoft 365.