Overview
When you set up Microsoft 365 for your domain, you need to add several DNS records so that email, autodiscovery, and other services work correctly. This guide covers all the required DNS records.
Prerequisites
- A Microsoft 365 subscription with a custom domain added
- Access to your domain's DNS management (cPanel, DirectAdmin, or your domain registrar)
Required DNS records
1. MX record (email routing)
This record directs incoming email to Microsoft 365 servers.
| Type | Host | Value | Priority | TTL |
|---|---|---|---|---|
| MX | @ |
yourdomain-com.mail.protection.outlook.com |
0 | 3600 |
Replace yourdomain-com with your actual domain, using hyphens instead of dots (e.g., example-com for example.com).
2. Autodiscover CNAME (automatic client configuration)
This allows Outlook and other mail clients to automatically find the correct server settings.
| Type | Host | Value | TTL |
|---|---|---|---|
| CNAME | autodiscover |
autodiscover.outlook.com |
3600 |
3. SPF record (sender authentication)
This TXT record tells receiving mail servers that Microsoft 365 is authorized to send email on behalf of your domain.
| Type | Host | Value | TTL |
|---|---|---|---|
| TXT | @ |
v=spf1 include:spf.protection.outlook.com -all |
3600 |
If you already have an SPF record, add include:spf.protection.outlook.com before the -all or ~all mechanism.
4. DKIM CNAME records (email signing)
DKIM adds a digital signature to outgoing emails. You need to enable DKIM in the Microsoft 365 admin center first, then add these records:
| Type | Host | Value | TTL |
|---|---|---|---|
| CNAME | selector1._domainkey |
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |
3600 |
| CNAME | selector2._domainkey |
selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |
3600 |
The exact values are provided in the Microsoft 365 admin center under Settings > Domains > DNS records.
5. DMARC record (policy enforcement)
DMARC builds on SPF and DKIM to prevent email spoofing.
| Type | Host | Value | TTL |
|---|---|---|---|
| TXT | _dmarc |
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com |
3600 |
Verification
After adding the DNS records:
- Wait 15–60 minutes for DNS propagation (it can take up to 48 hours in some cases).
- In the Microsoft 365 admin center, go to Settings > Domains.
- Select your domain and click Check health to verify all records.
Troubleshooting
- Email not arriving: Verify the MX record priority is set to 0 and no conflicting MX records exist.
-
Outlook not auto-configuring: Ensure the
autodiscoverCNAME is correctly set. - Emails going to spam: Verify SPF, DKIM, and DMARC are all properly configured.