What steps should I take if my MX record verification fails during setup?

If your MX record verification fails, first ensure that the MX record is correctly configured to point to Microsoft's mail server, formatted as 'yourcompany-com.mail.protection.outlook.com' with priority set to 0. Use tools like MX Toolbox to confirm the record's existence and correctness. Check for DNS propagation, which can take 15-60 minutes. If issues persist, review for conflicting MX records or syntax errors. If migrating from another provider, ensure old records are either deleted or set to a lower priority. Once adjustments are made, reattempt the verification in the Microsoft 365 admin center.

How can I monitor and respond to SPF failures after configuring my DNS?

To effectively monitor SPF failures, implement DMARC with a reporting address in your DMARC record (e.g., rua=mailto:dmarc-reports@yourcompany.com). Start with a 'p=none' policy to gather reports without affecting email delivery. Analyze the aggregate reports to identify unauthorized senders and legitimate sources. If unauthorized senders are detected, adjust your SPF record to include only verified senders. Gradually enforce stricter DMARC policies (e.g., 'p=quarantine' then 'p=reject') to prevent spoofing while maintaining legitimate email delivery.

What are the implications of not configuring DKIM for my domain in Office 365?

Failing to configure DKIM (DomainKeys Identified Mail) leaves your emails vulnerable to spoofing and phishing attacks, as DKIM provides email authenticity through cryptographic signatures. Without DKIM, recipients' email servers may mark your emails as spam or reject them entirely. This can lead to delivery issues and damage your organization's reputation. Additionally, you won't benefit from improved email deliverability and trust from recipients. To mitigate these risks, enable DKIM as soon as possible by adding the required CNAME records in your DNS settings and activating DKIM in the Microsoft 365 Defender portal.

Configuring Domain and DNS Settings for Office 365

Proper DNS configuration is critical for Microsoft 365 to function correctly. This comprehensive guide covers domain verification, DNS record configuration for email delivery (MX, SPF, DKIM, DMARC), service discovery (Autodiscover, SRV records), and email authentication best practices to ensure reliable service operation and protect against email spoofing.

Overview

When you add a custom domain to Microsoft 365 (e.g., yourcompany.com), you need to configure specific DNS records that tell the internet where to route email, how to find services, and how to verify that email is legitimately from your domain. This process involves:

Domain verification - Proving you own the domain
MX records - Directing email to Microsoft 365
SPF records - Authorizing Microsoft 365 to send email on your behalf
DKIM records - Adding digital signatures to outgoing email
DMARC records - Defining email authentication policies
Autodiscover/SRV records - Enabling automatic client configuration

Properly configured DNS ensures:

Email is delivered reliably to and from your domain
Emails are not marked as spam or rejected
Outlook and mobile clients can automatically configure themselves
Your domain is protected against email spoofing and phishing attacks
Compliance with modern email security standards

This guide provides step-by-step instructions for configuring DNS at major providers (GoDaddy, Cloudflare, Namecheap, Google Domains) and general instructions applicable to any DNS hosting provider.

Prerequisites

Before configuring DNS for Microsoft 365, ensure you have:

Domain Requirements:

A registered domain name (e.g., yourcompany.com)
Access to your domain's DNS management console
Domain registrar login credentials

Microsoft 365 Requirements:

Active Microsoft 365 subscription (Business Basic, Business Standard, E3, E5, etc.)
Global Administrator or Domain Administrator role
Access to Microsoft 365 admin center (admin.microsoft.com)

Technical Knowledge:

Understanding of DNS basics (A, MX, CNAME, TXT records)
Ability to locate and modify DNS settings at your registrar
Awareness of DNS propagation time (up to 48 hours, typically 1-4 hours)

Recommended Preparation:

Document current DNS records before making changes
Identify your current email provider's MX records (if migrating)
Notify users of potential brief service interruptions
Have access to both Microsoft 365 admin center and DNS provider simultaneously

Important Notes:

DNS changes can take up to 48 hours to propagate globally
Incorrect DNS configuration can disrupt email delivery
Keep backup of original DNS records in case rollback is needed
Test email delivery after DNS changes propagate

Understanding DNS Records for Microsoft 365

Essential DNS Record Types

MX (Mail Exchanger) Records:

Purpose: Direct incoming email to Microsoft 365 servers
Priority: Lower number = higher priority (Microsoft uses 0)
Format: 0 yourcompany-com.mail.protection.outlook.com
Critical: Must point to Microsoft's mail servers for email to be delivered

TXT Records:

Purpose: Domain verification, SPF, DMARC policies
SPF: Specifies authorized mail servers
DMARC: Defines email authentication policy
Verification: Unique value to prove domain ownership

CNAME (Canonical Name) Records:

Purpose: Service discovery, Autodiscover, DKIM
Autodiscover: Enables automatic Outlook configuration
DKIM: Points to Microsoft's DKIM signing service
MDM/MAM: Mobile device management (if using Intune)

SRV (Service) Records:

Purpose: Enable Skype for Business/Teams federation
Format: Includes priority, weight, port, and target host
Less critical: Many organizations don't need these immediately

Microsoft 365 DNS Record Overview

Required for Email:

MX record (mail routing)
SPF TXT record (sender authorization)
Autodiscover CNAME (Outlook configuration)

Highly Recommended:

DKIM CNAMEs (email signing)
DMARC TXT record (authentication policy)

Optional (Service-Dependent):

SRV records (Teams/Skype federation)
MDM/MAM CNAMEs (mobile device management)
Custom vanity URLs

Method 1: Automated Setup (Let Microsoft Manage DNS)

If your domain is registered at a supported provider, Microsoft can configure DNS automatically.

Step 1: Start the Domain Setup Wizard

Sign in to Microsoft 365 admin center: https://admin.microsoft.com
Navigate to Settings → Domains
Click + Add domain
Enter your domain name (e.g., yourcompany.com)
Click Use this domain

Step 2: Verify Domain Ownership

Microsoft will detect your domain registrar
If supported (GoDaddy, 1&1 IONOS, etc.), click Sign in to authorize
Enter your domain registrar credentials
Authorize Microsoft to access your DNS settings
Click Verify

Microsoft will automatically add the verification TXT record.

Step 3: Complete Automated Setup

Select services to configure:
- Exchange and Exchange Online Protection (email)
- Teams (if using Teams calling)
- Intune and Mobile Device Management (if managing devices)
Click Continue
Microsoft automatically adds required DNS records:
- MX record
- SPF TXT record
- Autodiscover CNAME
- DKIM CNAMEs
- Any service-specific records
Click Finish
Wait 15-60 minutes for changes to propagate
Microsoft will confirm setup is complete

Advantages:

Fastest setup method
Reduces configuration errors
Automatic updates if Microsoft changes servers

Limitations:

Only works with supported registrars
Requires granting Microsoft access to your domain
Less control over individual records

Method 2: Manual DNS Configuration (Universal Method)

Use this method for any DNS provider, or if you prefer manual control.

Step 1: Start Domain Setup and Verify Ownership

Sign in to Microsoft 365 admin center: https://admin.microsoft.com
Navigate to Settings → Domains
Click + Add domain
Enter your domain name: yourcompany.com
Click Use this domain

Verify Domain Ownership:

Select Add a TXT record instead (recommended)
Microsoft displays a verification TXT record:
- TXT name/host: @ or leave blank (root domain)
- TXT value: MS=ms12345678 (unique to your domain)
- TTL: 3600 (1 hour) or default
Keep this window open - you'll need these values
Open a new browser tab to your DNS provider

Step 2: Add Verification TXT Record

At your DNS provider:

Log in to your DNS management console
Locate the DNS records section for your domain
Click Add Record or Add TXT Record
Configure the TXT record:
- Type: TXT
- Name/Host: @ (or leave blank for root domain)
- Value/Text: Paste the MS= value from Microsoft
- TTL: 3600 or leave at default
Click Save or Add Record
Return to Microsoft 365 admin center tab
Click Verify

If verification fails:

Wait 15-30 minutes for DNS propagation
Verify TXT record syntax (no extra spaces)
Use online DNS checker: https://mxtoolbox.com/TxtLookup.aspx
Try Verify again

Step 3: Choose DNS Records to Add

Once verified:

Select Add DNS records for me or I'll add DNS records myself
Choose I'll add DNS records myself for manual setup
Select intended services:
- Exchange Online (email)
- Skype for Business (if applicable)
- Intune and Mobile Device Management (if applicable)
Click Continue

Microsoft will display all required DNS records. Keep this page open as reference.

Step 4: Configure MX Record (Required for Email)

The MX record directs incoming email to Microsoft 365.

Microsoft's MX Record Requirements:

Type: MX
Priority: 0
Host/Name: @ (root domain) or leave blank
Points to: yourcompany-com.mail.protection.outlook.com
- Replace dots in your domain with dashes
- Example: contoso-com.mail.protection.outlook.com for contoso.com
TTL: 3600 (1 hour)

At Your DNS Provider:

Navigate to DNS records management
Remove or lower priority of existing MX records (critical step)
- If migrating from another email provider, document existing MX records first
- Either delete old MX records or change priority to 10 (higher number = lower priority)
Click Add Record → MX Record
Configure:
- Name/Host: @ or leave blank
- Priority: 0
- Mail Server/Points to: Your Microsoft 365 MX record
- TTL: 3600
Click Save

Verification:

Use MX Lookup tool: https://mxtoolbox.com/
Enter your domain (yourcompany.com)
Verify it returns Microsoft's mail servers with priority 0

Step 5: Configure SPF Record (Required for Email Authentication)

SPF (Sender Policy Framework) authorizes Microsoft 365 to send email on your behalf.

Microsoft's SPF Record:

Type: TXT
Host/Name: @ (root domain)
Value: v=spf1 include:spf.protection.outlook.com -all
TTL: 3600

Important SPF Rules:

Only ONE SPF record per domain (multiple SPF records break email)
If you have existing SPF record, merge them
Use -all (hard fail) for maximum protection
Use ~all (soft fail) only during testing

At Your DNS Provider:

Check for existing SPF record:
- Look for TXT record with value starting with v=spf1
- If found, you must merge (not add a second SPF record)
If no existing SPF record:
- Click Add Record → TXT Record
- Name: @ or leave blank
- Value: v=spf1 include:spf.protection.outlook.com -all
- TTL: 3600
- Click Save
If existing SPF record exists (e.g., for another mail service):
- Example existing: v=spf1 include:_spf.google.com ~all
- Merged: v=spf1 include:spf.protection.outlook.com include:_spf.google.com -all
- Edit the existing TXT record, don't add a new one
- Add include:spf.protection.outlook.com before -all

Verification:

Use SPF checker: https://mxtoolbox.com/spf.aspx
Should return: v=spf1 include:spf.protection.outlook.com -all

Step 6: Configure Autodiscover CNAME (Required for Outlook)

Autodiscover enables Outlook and mobile devices to automatically configure email settings.

Microsoft's Autodiscover Record:

Type: CNAME
Host/Name: autodiscover
Points to: autodiscover.outlook.com
TTL: 3600

At Your DNS Provider:

Click Add Record → CNAME Record
Configure:
- Name/Host: autodiscover
- Target/Points to: autodiscover.outlook.com
- TTL: 3600
Click Save

Note: Some DNS providers require fully qualified names:

Host: autodiscover.yourcompany.com
Target: autodiscover.outlook.com

Verification:

Use: https://testconnectivity.microsoft.com/
Select Outlook Autodiscover
Enter email address and credentials
Should successfully connect

Step 7: Configure DKIM CNAME Records (Highly Recommended)

DKIM (DomainKeys Identified Mail) adds digital signatures to outgoing email, proving authenticity.

Microsoft's DKIM Records (Two CNAMEs Required):

CNAME 1:
- Host: selector1._domainkey
- Points to: selector1-yourcompany-com._domainkey.contoso.onmicrosoft.com
CNAME 2:
- Host: selector2._domainkey
- Points to: selector2-yourcompany-com._domainkey.contoso.onmicrosoft.com

Get Your Specific DKIM Values:

In Microsoft 365 admin center, navigate to:
- Settings → Domains → Select your domain
- Click DNS records tab
- Find the two DKIM CNAME records
- Note the exact Host and Points to values

At Your DNS Provider:

Add First DKIM CNAME:
- Type: CNAME
- Name: selector1._domainkey
- Points to: (exact value from Microsoft 365)
- TTL: 3600
- Click Save
Add Second DKIM CNAME:
- Type: CNAME
- Name: selector2._domainkey
- Points to: (exact value from Microsoft 365)
- TTL: 3600
- Click Save

Step 8: Enable DKIM Signing in Microsoft 365

After adding DNS records:

Navigate to Microsoft 365 Defender portal: https://security.microsoft.com
Go to Email & collaboration → Policies & rules → Threat policies
Click DKIM under Rules
Select your custom domain
Click Sign messages for this domain with DKIM signatures
Toggle to Enabled
Click Rotate keys to generate signatures

Verification:

Send test email to external address (Gmail, Yahoo)
View email source/headers
Look for DKIM-Signature header
Use DKIM checker: https://mxtoolbox.com/dkim.aspx

Step 9: Configure DMARC TXT Record (Highly Recommended)

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do if SPF or DKIM fail.

Microsoft's DMARC Recommendation:

Type: TXT
Host/Name: _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:[email protected]
TTL: 3600

DMARC Policy Options:

p=none - Monitor only (recommended for initial deployment)
p=quarantine - Mark as spam if authentication fails (recommended)
p=reject - Reject email if authentication fails (maximum security)

Recommended DMARC Record:

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

DMARC Tags Explained:

v=DMARC1 - Version (required)
p=quarantine - Policy for authentication failures
pct=100 - Apply policy to 100% of messages
rua= - Aggregate report email address
ruf= - Forensic (failure) report email address
fo=1 - Forensic report if either SPF or DKIM fails

At Your DNS Provider:

Click Add Record → TXT Record
Configure:
- Name: _dmarc
- Value: v=DMARC1; p=quarantine; rua=mailto:[email protected]
- TTL: 3600
Click Save

DMARC Implementation Strategy:

Phase 1 (Week 1-2): Monitor

v=DMARC1; p=none; rua=mailto:[email protected]

Phase 2 (Week 3-4): Quarantine partial

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

Phase 3 (Week 5+): Full quarantine

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]

Phase 4 (Month 2+): Reject

v=DMARC1; p=reject; rua=mailto:[email protected]

Verification:

Use DMARC checker: https://mxtoolbox.com/dmarc.aspx
Monitor DMARC reports (rua email address)

Step 10: Configure Optional SRV Records (Teams/Skype)

Only needed if using Microsoft Teams calling features or Skype for Business federation.

SIP Federation SRV Record:

Type: SRV
Service: _sip
Protocol: _tls
Port: 443
Priority: 100
Weight: 1
Target: sipdir.online.lync.com

SIP Federation Discovery SRV Record:

Type: SRV
Service: _sipfederationtls
Protocol: _tcp
Port: 5061
Priority: 100
Weight: 1
Target: sipfed.online.lync.com

At Your DNS Provider:

Click Add Record → SRV Record
Configure first SRV:
- Name/Service: _sip._tls
- Priority: 100
- Weight: 1
- Port: 443
- Target: sipdir.online.lync.com
- TTL: 3600
Add second SRV record with values above

Note: Many organizations don't need SRV records unless specifically using Teams calling features.

Step 11: Verify DNS Configuration

Return to Microsoft 365 admin center
Navigate to Settings → Domains → Your domain
Click Start setup or Continue setup
Microsoft will verify all DNS records
Review status for each record:
- ✓ Green checkmark = configured correctly
- ✗ Red X = needs attention
If issues found:
- Click on the record for details
- Verify exact values match Microsoft's requirements
- Check for typos, extra spaces, incorrect hosts
- Wait for DNS propagation (15-60 minutes)
Once all records verified:
- Click Finish or Close
- Domain status changes to Healthy

Method 3: Provider-Specific Instructions

GoDaddy DNS Configuration

Access DNS Settings:

Log in to GoDaddy: https://godaddy.com
Click My Products
Find your domain → Click DNS

MX Record: 4. Under Records, click Add 5. Type: MX 6. Name: @ (leave blank) 7. Value: yourcompany-com.mail.protection.outlook.com 8. Priority: 0 9. TTL: 1 Hour 10. Click Save 11. Delete or lower priority of existing MX records

TXT Records (SPF, DMARC, Verification): 12. Click Add → TXT 13. Name: @ (for SPF) or _dmarc (for DMARC) 14. Value: Paste SPF or DMARC value 15. TTL: 1 Hour 16. Click Save

CNAME Records (Autodiscover, DKIM): 17. Click Add → CNAME 18. Name: autodiscover (or selector1._domainkey) 19. Value: autodiscover.outlook.com (or DKIM target) 20. TTL: 1 Hour 21. Click Save

SRV Records (if needed): 22. Click Add → SRV 23. Service: _sip 24. Protocol: _tls 25. Priority: 100 26. Weight: 1 27. Port: 443 28. Target: sipdir.online.lync.com 29. TTL: 1 Hour 30. Click Save

Cloudflare DNS Configuration

Access DNS Settings:

Log in to Cloudflare: https://dash.cloudflare.com
Select your domain
Click DNS tab

Important Cloudflare Settings: 4. Email Routing: Disable Cloudflare Email Routing if enabled 5. Proxy Status: Set all Microsoft 365 CNAMEs to DNS only (gray cloud)

MX Record: 6. Click Add record 7. Type: MX 8. Name: @ or yourcompany.com 9. Mail server: yourcompany-com.mail.protection.outlook.com 10. Priority: 0 11. TTL: Auto 12. Click Save

TXT Records: 13. Click Add record 14. Type: TXT 15. Name: @ (SPF) or _dmarc (DMARC) 16. Content: Paste SPF/DMARC value 17. TTL: Auto 18. Click Save

CNAME Records: 19. Click Add record 20. Type: CNAME 21. Name: autodiscover 22. Target: autodiscover.outlook.com 23. Proxy status: DNS only (gray cloud icon) ← CRITICAL 24. TTL: Auto 25. Click Save 26. Repeat for DKIM CNAMEs (selector1._domainkey, selector2._domainkey)

Critical: All Microsoft 365 CNAMEs must be set to DNS only (not proxied).

Namecheap DNS Configuration

Access DNS Settings:

Log in to Namecheap: https://namecheap.com
Click Domain List → Manage (your domain)
Click Advanced DNS tab

MX Record: 4. Find Mail Settings section 5. Select Custom MX 6. Click Add New Record 7. Priority: 0 8. Value: yourcompany-com.mail.protection.outlook.com 9. Click checkmark to save 10. Delete other MX records

TXT Records: 11. Under Host Records, click Add New Record 12. Type: TXT Record 13. Host: @ (for SPF) or _dmarc 14. Value: Paste SPF/DMARC value 15. TTL: Automatic 16. Click checkmark

CNAME Records: 17. Click Add New Record 18. Type: CNAME Record 19. Host: autodiscover 20. Target: autodiscover.outlook.com 21. TTL: Automatic 22. Click checkmark 23. Repeat for DKIM CNAMEs

Note: Namecheap automatically appends your domain to hosts. Use only the subdomain part (e.g., "autodiscover" not "autodiscover.yourcompany.com").

Google Domains DNS Configuration

Note: Google Domains is transitioning to Squarespace. These instructions apply to both.

Access DNS Settings:

Log in to Google Domains: https://domains.google.com
Click Manage (your domain)
Click DNS in left sidebar
Scroll to Custom resource records

MX Record: 5. Under Synthetic records, select Custom (not Google) 6. Or in Custom resource records: 7. Name: Leave blank (@) 8. Type: MX 9. TTL: 1H 10. Data: 0 yourcompany-com.mail.protection.outlook.com 11. Click Add

TXT Records: 12. Name: @ (SPF) or _dmarc 13. Type: TXT 14. TTL: 1H 15. Data: Paste SPF/DMARC value 16. Click Add

CNAME Records: 17. Name: autodiscover 18. Type: CNAME 19. TTL: 1H 20. Data: autodiscover.outlook.com 21. Click Add 22. Repeat for DKIM CNAMEs

Microsoft Azure DNS Configuration

If hosting DNS in Azure:

Via Azure Portal:

Navigate to Azure Portal: https://portal.azure.com
Search for DNS zones
Select your domain zone
Click + Record set

Via Azure CLI:

# MX Record
az network dns record-set mx add-record \
  --resource-group YourResourceGroup \
  --zone-name yourcompany.com \
  --record-set-name "@" \
  --preference 0 \
  --exchange yourcompany-com.mail.protection.outlook.com

# SPF TXT Record
az network dns record-set txt add-record \
  --resource-group YourResourceGroup \
  --zone-name yourcompany.com \
  --record-set-name "@" \
  --value "v=spf1 include:spf.protection.outlook.com -all"

# Autodiscover CNAME
az network dns record-set cname set-record \
  --resource-group YourResourceGroup \
  --zone-name yourcompany.com \
  --record-set-name autodiscover \
  --cname autodiscover.outlook.com

Via PowerShell:

# Connect to Azure
Connect-AzAccount

# Set variables
$resourceGroup = "YourResourceGroup"
$zoneName = "yourcompany.com"

# MX Record
New-AzDnsRecordSet -Name "@" -RecordType MX -ZoneName $zoneName `
  -ResourceGroupName $resourceGroup -Ttl 3600 `
  -DnsRecords (New-AzDnsRecordConfig -Exchange "yourcompany-com.mail.protection.outlook.com" -Preference 0)

# TXT Record (SPF)
New-AzDnsRecordSet -Name "@" -RecordType TXT -ZoneName $zoneName `
  -ResourceGroupName $resourceGroup -Ttl 3600 `
  -DnsRecords (New-AzDnsRecordConfig -Value "v=spf1 include:spf.protection.outlook.com -all")

# CNAME Record (Autodiscover)
New-AzDnsRecordSet -Name "autodiscover" -RecordType CNAME -ZoneName $zoneName `
  -ResourceGroupName $resourceGroup -Ttl 3600 `
  -DnsRecords (New-AzDnsRecordConfig -Cname "autodiscover.outlook.com")

Email Authentication Best Practices

SPF Best Practices

1. Keep SPF Records Concise:

SPF lookup limit: 10 DNS lookups
Each include: counts as a lookup
Avoid exceeding the limit (causes SPF to fail)

2. Use -all (Hard Fail):

v=spf1 include:spf.protection.outlook.com -all

~all (soft fail): Allows but marks suspicious
-all (hard fail): Rejects unauthorized senders
Use -all for maximum protection

3. Include Only Authorized Senders:

v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com include:sendgrid.net -all

List all legitimate email senders
Remove old/unused services

4. Monitor SPF Failures:

Review bounce messages for SPF failures
Use DMARC reports to identify unauthorized senders

DKIM Best Practices

1. Enable DKIM for All Domains:

Custom domains and subdomains
Even if only sending internal email

2. Rotate DKIM Keys Regularly:

Microsoft handles rotation automatically
Manual rotation: Once per year minimum

3. Monitor DKIM Signing:

Verify outgoing email includes DKIM-Signature header
Check receiving servers validate successfully

4. Use Both DKIM Selectors:

Microsoft provides selector1 and selector2
Enables key rotation without downtime

DMARC Best Practices

1. Start with Monitoring (p=none):

v=DMARC1; p=none; rua=mailto:[email protected]

Collect reports for 2-4 weeks
Identify legitimate mail sources
Find configuration issues

2. Gradually Increase Enforcement:

Week 1-2: p=none (monitor)
Week 3-4: p=quarantine; pct=25 (25% quarantine)
Week 5-6: p=quarantine; pct=100 (full quarantine)
Month 2+: p=reject (maximum protection)

3. Review DMARC Reports:

Aggregate reports (rua): Daily summaries
Forensic reports (ruf): Individual failures
Use DMARC analyzer tools or services

4. Subdomain Policy:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected]

p= applies to main domain
sp= applies to subdomains
Allows different policies for subdomains

5. Alignment Requirements:

SPF alignment: Return-Path domain matches From domain
DKIM alignment: d= domain matches From domain
Relaxed vs Strict: Use relaxed alignment initially

Comprehensive Email Security Checklist

Troubleshooting

Issue 1: Domain Verification Fails

Symptoms:

"We couldn't verify your domain"
"TXT record not found"

Diagnosis:

Check DNS propagation:
- Use https://dnschecker.org
- Enter your domain and select TXT
- Verify MS= record appears
Verify TXT record syntax:
- Host: @ or blank (not "yourcompany.com")
- Value: Exact MS= string (no extra spaces)
- No quotes around value (unless required by provider)

Solutions:

Wait 15-30 minutes for DNS propagation
Verify TXT record host is @ or blank
Remove any extra characters or spaces
Try verification again
If still failing after 24 hours, check with DNS provider support

Issue 2: Email Not Being Received

Symptoms:

Senders receive "Address not found" or bounce messages
Email not arriving in Microsoft 365 mailboxes

Diagnosis:

Check MX record:

# Use MXToolbox
https://mxtoolbox.com/SuperTool.aspx?action=mx%3ayourcompany.com

Expected result: yourcompany-com.mail.protection.outlook.com with priority 0

Verify MX record priority:

Microsoft's MX must have priority 0 (lowest number)
Remove or set old MX records to priority 10+

Check mail flow in Microsoft 365:

Admin center → Health → Message trace
Enter recipient email address
Review message status

Solutions:

MX record missing: Add Microsoft's MX record
Wrong priority: Change Microsoft MX to priority 0
Old MX records active: Delete or lower priority (10+)
DNS not propagated: Wait up to 48 hours (usually 1-4 hours)
Mailbox not created: Verify user has Exchange license

Issue 3: Sent Email Marked as Spam

Symptoms:

Recipients report email in spam/junk folder
High spam score on outgoing messages
SPF/DKIM/DMARC failures in headers

Diagnosis:

Send test email to: mail-tester.com
- Follow their instructions
- Review spam score (aim for 8+/10)
Check email headers:
- Send email to Gmail/Outlook.com
- View original message/headers
- Look for: Authentication-Results

Expected headers:

Authentication-Results: spf=pass; dkim=pass; dmarc=pass

Verify SPF record:

# Check SPF
https://mxtoolbox.com/spf.aspx

Should return: v=spf1 include:spf.protection.outlook.com -all

Verify DKIM signing:

Check DKIM enabled in Microsoft 365 Defender
Look for DKIM-Signature in email headers

Verify DMARC policy:

# Check DMARC
https://mxtoolbox.com/dmarc.aspx

Solutions:

SPF failing: Verify SPF record includes spf.protection.outlook.com
DKIM failing:
- Add DKIM CNAMEs to DNS
- Enable DKIM signing in Microsoft 365 Defender
DMARC failing: Add DMARC TXT record
No authentication: Wait for DNS propagation
Multiple SPF records: Merge into single SPF record
Blacklisted IP: Check https://mxtoolbox.com/blacklists.aspx
- Request delisting if legitimately sending

Issue 4: Outlook Autodiscover Not Working

Symptoms:

Outlook prompts for credentials repeatedly
"Cannot connect to server" errors
Manual configuration required

Diagnosis:

Test Autodiscover:

Visit: https://testconnectivity.microsoft.com/
Select Outlook Autodiscover
Enter user's email and password
Click Perform Test
Review errors

Verify Autodiscover CNAME:

# Check CNAME
nslookup autodiscover.yourcompany.com

Expected: Points to autodiscover.outlook.com

Solutions:

CNAME missing: Add autodiscover CNAME to DNS
CNAME incorrect: Verify points to autodiscover.outlook.com
DNS not propagated: Wait 1-24 hours
Certificate warning:
- Normal if using CNAME (certificate is for outlook.com)
- Outlook will accept automatically
Cloudflare proxy: Set to DNS only (gray cloud)

Issue 5: DKIM Not Signing Email

Symptoms:

Email headers show no DKIM-Signature
DKIM validation fails for recipients

Diagnosis:

Check DKIM enabled:

Microsoft 365 Defender → Threat policies → DKIM
Verify domain shows Enabled

Verify DKIM CNAMEs:

# Check selector1
nslookup -type=CNAME selector1._domainkey.yourcompany.com

# Check selector2
nslookup -type=CNAME selector2._domainkey.yourcompany.com

Solutions:

DKIM CNAMEs missing: Add both selector CNAMEs to DNS
DKIM disabled: Enable in Microsoft 365 Defender
Wrong CNAME target: Verify exact target from admin center
DNS not propagated: Wait 1-24 hours
Cannot enable DKIM: CNAME records not detected yet

Issue 6: DMARC Failures Despite SPF/DKIM Pass

Symptoms:

SPF and DKIM pass, but DMARC fails
Email marked as suspicious

Diagnosis:

DMARC requires alignment:

SPF alignment: Return-Path domain matches From domain
DKIM alignment: DKIM d= domain matches From domain

Check email headers:

From: [email protected]
Return-Path: [email protected]  ← Alignment failure
DKIM d=yourcompany.onmicrosoft.com  ← Alignment failure

Solutions:

Configure custom domain for mailflow:

Microsoft 365 admin center → Settings → Domains
Select domain → Set as default
This ensures Return-Path uses custom domain

Update DMARC to relaxed alignment:

v=DMARC1; p=quarantine; aspf=r; adkim=r; rua=mailto:[email protected]

aspf=r - Relaxed SPF alignment (subdomain allowed)
adkim=r - Relaxed DKIM alignment (subdomain allowed)

Wait for propagation:

Changes take time to reflect
Monitor DMARC reports

Issue 7: DNS Changes Not Taking Effect

Symptoms:

Changes made hours ago still not working
Old DNS records still appearing in lookups

Diagnosis:

Check TTL (Time To Live):

Previous TTL determines cache time
If old record had TTL=86400 (24 hours), wait 24 hours

Verify changes saved:

Log back into DNS provider
Confirm records show updated values

Check global propagation:

Use https://dnschecker.org
Select record type and enter domain
Check multiple geographic locations

Check local DNS cache:

# Windows
ipconfig /flushdns

# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Linux
sudo systemd-resolve --flush-caches

Solutions:

TTL too high: Wait for TTL period to expire
Changes not saved: Verify and re-save changes
Propagation in progress: Wait up to 48 hours (usually 1-4 hours)
Cached locally: Flush local DNS cache
Wrong DNS server: Verify domain nameservers point to correct DNS provider

Advanced Configuration

Subdomain Configuration

If using subdomains for specific departments:

Example: marketing.yourcompany.com

Add subdomain to Microsoft 365:
- Admin center → Settings → Domains → Add domain
- Enter: marketing.yourcompany.com
Configure subdomain DNS records:
- MX: marketing-yourcompany-com.mail.protection.outlook.com
- SPF: v=spf1 include:spf.protection.outlook.com -all
- Autodiscover: CNAME to autodiscover.outlook.com
- DKIM: Two CNAMEs for subdomain
Update DMARC for subdomain policy:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:[email protected]

p= policy for main domain
sp= policy for subdomains

Multiple Email Providers (Hybrid)

If routing some mailboxes to Microsoft 365 and others elsewhere:

Option 1: Subdomain Routing

Microsoft 365: [email protected]
On-premises: [email protected]

Option 2: MX Record Priority

Microsoft MX: Priority 0
Backup MX: Priority 10
Note: Backup MX often unnecessary with Microsoft 365's redundancy

Option 3: Mail Flow Connectors

Configure connector in Microsoft 365 Exchange admin center
Route specific domains/users to external servers

Custom Vanity URLs

Create friendly URLs for Microsoft 365 services:

Example: mail.yourcompany.com → Outlook Web Access

Add CNAME record:
- Host: mail
- Points to: outlook.office365.com
Configure in Exchange admin center:
- Mail flow → Accepted domains
- Set custom URL

Note: Requires additional SSL certificate configuration and Microsoft 365 plan support.

Email Encryption (TLS)

Microsoft 365 supports TLS encryption by default:

Verify TLS:

No DNS configuration required
Microsoft 365 automatically negotiates TLS with receiving servers

Force TLS for specific partners:

Exchange admin center → Mail flow → Connectors
Create connector requiring TLS
Specify partner domain

Next Steps and Related Resources

Post-Configuration Tasks

1. Test Email Functionality (First 24 Hours)

Send test email to external addresses (Gmail, Yahoo, Outlook.com)
Receive email from external senders
Test Outlook desktop automatic configuration
Test mobile device email setup
Verify email headers show SPF/DKIM/DMARC pass

2. Monitor DMARC Reports (First 2 Weeks)

Review aggregate reports daily
Identify legitimate mail sources
Find misconfigured services
Gradually increase DMARC enforcement

3. Configure Additional Exchange Settings

Anti-spam policies
Anti-malware policies
Transport rules
Mailbox permissions and delegation

4. User Training

Email signature setup
Outlook features and best practices
Phishing awareness
Mobile device configuration

5. Documentation

Document all DNS records
Record MX Toolbox verification results
Create runbook for future changes
Share configuration with team

Related Microsoft 365 Features

Exchange Online Protection:

Anti-spam and anti-malware filtering
Connection filtering and policy filtering
Enabled automatically with proper DNS

Advanced Threat Protection (Microsoft Defender for Office 365):

Safe Links and Safe Attachments
Anti-phishing policies
Real-time threat intelligence

Compliance Features:

Data Loss Prevention (DLP)
Retention policies
eDiscovery and legal hold
Audit logging

Microsoft Intune Integration:

Mobile device management
App protection policies
Conditional access for email

Monitoring and Maintenance

Weekly:

Review message trace for delivery issues
Check DMARC reports for authentication failures
Monitor spam/malware trends

Monthly:

Verify all DNS records still correct
Review SPF record for outdated includes
Update documentation

Quarterly:

Run MX Toolbox comprehensive checks
Review and update DMARC policy
Test Autodiscover functionality
Verify DKIM signing still active

Annually:

Review all DNS records for optimization
Update SPF to remove unused services
Consider tightening DMARC to p=reject
Audit mail flow connectors and rules

Additional Resources

Microsoft Documentation:

DNS and Email Testing Tools:

MX Toolbox: https://mxtoolbox.com/ (comprehensive DNS and email testing)
DNS Checker: https://dnschecker.org/ (global DNS propagation)
Microsoft Remote Connectivity Analyzer: https://testconnectivity.microsoft.com/
Mail Tester: https://www.mail-tester.com/ (spam score testing)
DMARC Analyzer: https://dmarcian.com/ (DMARC report analysis)

Email Authentication Standards:

SPF RFC 7208: https://tools.ietf.org/html/rfc7208
DKIM RFC 6376: https://tools.ietf.org/html/rfc6376
DMARC RFC 7489: https://tools.ietf.org/html/rfc7489

Security Best Practices:

Microsoft 365 Security Best Practices: https://docs.microsoft.com/microsoft-365/security/
CISA Email Authentication: https://www.cisa.gov/email-authentication

Professional Assistance

Configuring DNS for Microsoft 365 requires attention to detail and understanding of email authentication standards. Incorrect configuration can result in email delivery failures or security vulnerabilities. If you need assistance with:

Initial domain and DNS setup
Email migration from another provider
Complex hybrid email configurations
DMARC implementation and monitoring
SPF/DKIM troubleshooting
Email security optimization

Contact InventiveHQ for expert Microsoft 365 consulting and migration services. Our team can handle the entire DNS configuration process, ensuring reliable email delivery and optimal security while minimizing the risk of misconfiguration and downtime.

Configuring Domain and DNS Settings for Office 365

Overview

Prerequisites

Understanding DNS Records for Microsoft 365

Essential DNS Record Types

Microsoft 365 DNS Record Overview

Method 1: Automated Setup (Let Microsoft Manage DNS)

Step 1: Start the Domain Setup Wizard

Step 2: Verify Domain Ownership

Step 3: Complete Automated Setup

Method 2: Manual DNS Configuration (Universal Method)

Step 1: Start Domain Setup and Verify Ownership

Step 2: Add Verification TXT Record

Step 3: Choose DNS Records to Add

Step 4: Configure MX Record (Required for Email)

Step 5: Configure SPF Record (Required for Email Authentication)

Step 6: Configure Autodiscover CNAME (Required for Outlook)

Step 7: Configure DKIM CNAME Records (Highly Recommended)

Step 8: Enable DKIM Signing in Microsoft 365

Step 9: Configure DMARC TXT Record (Highly Recommended)

Step 10: Configure Optional SRV Records (Teams/Skype)

Step 11: Verify DNS Configuration

Method 3: Provider-Specific Instructions

GoDaddy DNS Configuration

Cloudflare DNS Configuration

Namecheap DNS Configuration

Google Domains DNS Configuration

Microsoft Azure DNS Configuration

Email Authentication Best Practices

SPF Best Practices

DKIM Best Practices

DMARC Best Practices

Comprehensive Email Security Checklist

Troubleshooting

Issue 1: Domain Verification Fails

Issue 2: Email Not Being Received

Issue 3: Sent Email Marked as Spam

Issue 4: Outlook Autodiscover Not Working

Issue 5: DKIM Not Signing Email

Issue 6: DMARC Failures Despite SPF/DKIM Pass

Issue 7: DNS Changes Not Taking Effect

Advanced Configuration

Subdomain Configuration

Multiple Email Providers (Hybrid)

Custom Vanity URLs

Email Encryption (TLS)

Next Steps and Related Resources

Post-Configuration Tasks

Related Microsoft 365 Features

Monitoring and Maintenance

Additional Resources

Professional Assistance

Frequently Asked Questions

Need Professional Help?

Related Articles

Configuring Conditional Access Policies in Office 365

Creating and Managing Shared Mailboxes in Office 365