Microsoft 365 Email: Domain Setup Guide

## Microsoft 365: Outlook and Exchange Under Your Own Domain Microsoft 365 (formerly Office 365) brings Exchange Online, Outlook, Teams, and the full Office suite together under your custom domain. For organizations already invested in the Microsoft ecosystem — or those with Windows-centric IT environments — it's the natural choice for professional email. This guide provides complete DNS configuration instructions: domain verification, MX records, Autodiscover, SPF Record, DKIM, and DMARC. Unlike Google Workspace (which uses the same MX record set for everyone), Microsoft 365 generates tenant-specific hostnames, so you'll need the exact values from your admin center. ## Prerequisites Before starting: - A Microsoft 365 subscription (Business Basic at $6/user/month is sufficient for email) - Access to your domain's DNS (Domain Name System) management panel - Your Microsoft 365 tenant name (shown in the Microsoft 365 Admin Center) Your tenant name is the `yourdomain` part of your default `yourdomain.onmicrosoft.com` address, assigned when you created your account. ## Step 1: Add Your Domain to Microsoft 365 1. Sign in to the **Microsoft 365 Admin Center** (admin.microsoft.com) 2. Navigate to **Settings > Domains** 3. Click **Add domain** 4. Enter your domain name and click **Use this domain** Microsoft will walk you through a wizard. Keep the admin center open alongside your DNS provider's control panel. ## Step 2: Verify Domain Ownership Microsoft requires a TXT Record to confirm domain ownership: ``` Type: TXT Host: @ Value: MS=msXXXXXXXX TTL: 3600 ``` The exact value (beginning with `MS=ms`) is shown in the Microsoft 365 wizard. It's unique to your tenant. After adding the record, click **Verify** in the wizard. Microsoft's DNS checker retries automatically every few minutes. If verification fails initially, wait 10–15 minutes and try again — DNS Propagation may not be complete. ### Alternative: MX Verification If you prefer not to add a TXT record, Microsoft also supports domain verification via a temporary MX record. This is less common but useful if your DNS provider limits TXT records. ## Step 3: Remove Existing MX Records Delete all existing MX records from your domain before adding Microsoft's. Leaving old records in place causes split delivery — some email reaches your new Microsoft mailboxes, some goes to the old server. If you're migrating an existing email setup (from Google Workspace, a cPanel host, or Zoho), export any emails you need to keep before changing MX records, since you'll lose access to the old mailboxes once delivery changes. ## Step 4: Add Microsoft 365 MX Record Unlike Google's five MX records, Microsoft uses a single record with a tenant-specific hostname: ``` Type: MX Host: @ Points to: yourdomain-com.mail.protection.outlook.com Priority: 0 TTL: 3600 ``` The `yourdomain-com` portion is derived from your domain name (with the dot replaced by a hyphen). The exact value is shown in the Microsoft 365 wizard — copy it from there to avoid typos. Set the TTL (Time To Live) to 300 seconds (5 minutes) during initial setup to speed up DNS Propagation testing. Raise it to 3600 after confirming everything works. ## Step 5: Add the Autodiscover CNAME Record The Autodiscover service allows Outlook, mobile apps, and other clients to automatically configure themselves when you enter your email address and password. Without this record, users must manually enter IMAP/SMTP server settings. ``` Type: CNAME Host: autodiscover Value: autodiscover.outlook.com TTL: 3600 ``` This CNAME Record points `autodiscover.yourdomain.com` to Microsoft's autodiscover endpoint. When Outlook needs to find the mail server, it checks this address automatically. ## Step 6: Configure SPF Add an SPF Record to authorize Microsoft's servers to send email from your domain: ``` Type: TXT Host: @ Value: v=spf1 include:spf.protection.outlook.com -all ``` Microsoft recommends `-all` (hard fail) rather than `~all` (soft fail) for Exchange Online. This is stricter — email from any server not listed in the SPF record will be rejected rather than merely marked suspicious. **If you send email from additional sources** (marketing platforms, transactional email services, CRMs), you must include their SPF domains as well: ``` v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:mailchimp.com -all ``` Remember: only one SPF Record TXT record is allowed per domain. Merge all sources into a single record. ## Step 7: Enable and Configure DKIM DKIM in Microsoft 365 requires two CNAME Record entries (rather than a TXT record like most providers). Microsoft automatically signs outbound email once these CNAMEs are in place. First, enable DKIM in the Microsoft 365 Defender portal: 1. Go to **security.microsoft.com** 2. Navigate to **Email & Collaboration > Policies & Rules > Threat policies** 3. Select **Email authentication settings** 4. Click on your domain 5. Click **Enable** under DKIM Before you can enable DKIM, Microsoft requires you to add two CNAME records to your DNS: ``` Type: CNAME Host: selector1._domainkey Value: selector1-yourdomain-com._domainkey.youronmicrosoftdomain.onmicrosoft.com TTL: 3600 Type: CNAME Host: selector2._domainkey Value: selector2-yourdomain-com._domainkey.youronmicrosoftdomain.onmicrosoft.com TTL: 3600 ``` The exact values for your tenant are shown in the Microsoft 365 Defender portal. The CNAMEs point to Microsoft-managed TXT records, which allows Microsoft to rotate DKIM keys without requiring you to update your DNS. After adding the CNAMEs, return to the portal and click **Enable**. Activation may take a few minutes. ## Step 8: Configure DMARC DMARC coordinates SPF and DKIM and provides reporting. Add this TXT Record: ``` Type: TXT Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:[email protected]; fo=1 TTL: 3600 ``` Start with `p=none` to collect reports without affecting delivery. After reviewing aggregate reports (typically delivered daily) and confirming all legitimate email passes authentication, progress to: - `p=quarantine` — Failing messages go to the spam/junk folder - `p=reject` — Failing messages are blocked entirely Microsoft 365 includes a built-in DMARC reporting dashboard in the Microsoft 365 Defender portal, making it easier to monitor authentication results without third-party tools. ## Step 9: Optional — Skype for Business / Teams SIP Records If your organization uses Microsoft Teams Phone (formerly Skype for Business), you may need additional DNS (Domain Name System) records: ``` Type: SRV Service: _sip Protocol: _tls Name: yourdomain.com Target: sipdir.online.lync.com Port: 443 Priority: 100 Weight: 1 Type: SRV Service: _sipfederationtls Protocol: _tcp Name: yourdomain.com Target: sipfed.online.lync.com Port: 5061 Priority: 100 Weight: 1 Type: CNAME Host: sip Value: sipdir.online.lync.com Type: CNAME Host: lyncdiscover Value: webdir.online.lync.com ``` These are only needed for voice and Teams meeting features, not for email. ## Step 10: Create Mailboxes and Test In the Microsoft 365 Admin Center: 1. Navigate to **Users > Active users** 2. Click **Add a user** 3. Fill in name, username, and password 4. Assign a Microsoft 365 license Once created, send test emails in both directions. Check email headers by opening a message in Outlook, clicking the three dots (…), and selecting **View message source** or **View message details**. Look for: ``` Authentication-Results: spf=pass; dkim=pass; dmarc=pass action=none ``` Use DNS Record Helper to verify all your DNS records are propagated correctly. ## Microsoft 365 DNS Checklist | Record | Type | Required | Purpose | |---|---|---|---| | Domain verification | TXT | Setup only | Prove domain ownership | | MX record | MX | Yes | Email delivery routing | | Autodiscover | CNAME | Strongly recommended | Client auto-configuration | | SPF | TXT | Yes | Sender authorization | | DKIM selector1 | CNAME | Yes | Email signing | | DKIM selector2 | CNAME | Yes | Key rotation | | DMARC | TXT | Recommended | Policy enforcement | ## Common Microsoft 365 DNS Issues **CNAME for DKIM not propagating**: CNAMEs can take longer to propagate than TXT records. Wait at least 30 minutes before checking DKIM status in the Defender portal. **Autodiscover conflicts**: If you previously hosted email elsewhere and have an existing `autodiscover` CNAME or A record, delete it before adding Microsoft's version. **MX record hostname format**: Some DNS providers struggle with the long Microsoft MX hostname. Copy and paste directly from the admin center — don't retype it. **SPF lookup limit**: SPF records have a maximum of 10 DNS lookups. Each `include:` counts as one. If you have many senders, use SPF flattening tools to reduce lookup count. ## Microsoft 365 Plans for Email | Plan | Price | Email Storage | Office Apps | |---|---|---|---| | Business Basic | $6/user/month | 50 GB | Web only | | Business Standard | $12.50/user/month | 50 GB | Desktop + Web | | Business Premium | $22/user/month | 50 GB + archive | Desktop + Security | For email-only needs, Business Basic is sufficient. The 50 GB per mailbox (vs Google's pooled model) can be an advantage for organizations with heavy email users. ## Next Steps - **MX Records Deep Dive: Email Routing Explained** — Why MX records have priority numbers - **SPF, DKIM, DMARC: Email Authentication Trilogy** — Deep dive into email authentication - **Google Workspace Email: Domain Configuration** — Compare Microsoft's approach to Google's - **Email Deliverability: How Domain Reputation Matters** — Maintain strong sender reputation