March 28, 2024

SamTech 365

PowerPlatform, Power Apps, Power Automate, PVA, SharePoint, C#, .Net, SQL, Azure News, Tips ….etc

External Domain Name System records for Office 365

Sticking around to use the reference list for your own custom deployment? The below list should be used as a reference for your custom Office 365 deployment. You will need to select which records apply to your organization and fill in the appropriate values.Often the SPF and MX records are the hardest to figure out. We’ve updated our SPF records guidance at the end of this article. The important thing to remember is that you can only have a single SPF record for your domain. You can have multiple MX records; however, that can cause problems for mail delivery. Having a single MX record that directs email to one mail system removes many potential problems.

The sections below are organized by service in Office 365. To see a customized list of the Office 365 DNS records for your domain, sign in to Office 365 and find the specific info you need to create records for your domain.

External DNS records required for Office 365 (core services)

Every Office 365 customer needs to add two records to their external DNS. The first CNAME record ensures that Office 365 can direct workstations to authenticate with the appropriate identity platform. The second required record is to prove you own your domain name.

DNS record Purpose Value to use
CNAME

(Suite)

Used by Office 365 to direct authentication to the correct identity platform. More Information Alias:   msoid

Target:   clientconfig.microsoftonline-p.net

TXT

(Domain verification)

Used by Office 365 to verify only that you own your domain. It doesn’t affect anything else. Host:    @ (or, for some DNS hosting providers, your domain name)

TXT Value:   A text string provided by Office 365

The Office 365 domain setup wizard provides the values that you use to create this record.

External DNS records required for email in Office 365 (Exchange Online)

Email in Office 365 requires several different records. The three primary records that all customers should use are the Autodiscover, MX, and SPF records.

  • The Autodiscover record allows client computers to automatically find Exchange and configure the client properly.
  • The MX record tells other mail systems where to send email for your domain. When you change your email to Office 365, by updating your domain’s MX record, ALL email sent to that domain will start coming to Office 365. (Do you just want to switch a few email addresses to Office 365? You can take steps to pilot Office 365 with just a few email addresses instead.)
  • The TXT record for SPF is used by recipient email systems to validate that the server sending your email is one that you approve. This helps prevent problems like email spoofing and phishing. See the SPF records section in this article for help understanding what to include in your record.

Email customers who are using Exchange Federation will also need the additional CNAME and TXT record listed at the bottom of the table.

DNS record Purpose Value to use
CNAME

(Exchange Online)

Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for users. Alias:    Autodiscover

Target:   autodiscover.outlook.com

MX

(Exchange Online)

Sends incoming mail for your domain to the Exchange Online service in Office 365.

Note: Once email is flowing to Exchange Online, you should remove the MX records that are pointing to your old system.

Domain:    For example, contoso.com

Target email server:   <MX token>.mail.protection.outlook.com

Preference/Priority:    lower than any other MX records (this ensures mail is delivered to Exchange Online) – for example 1 or ‘low’

Find your <MX token> by following these steps:

  • Sign in to Office 365, go to Office 365 admin > Domains.
  • In the Action column for your domain, choose Fix issues.
  • In the MX records section, choose What do I fix?
  • Follow the directions on this page to update your MX record.

What is MX priority?

SPF (TXT)

(Exchange Online)

Helps to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain. DNS records required for SPF
TXT

(Exchange federation)

Used for Exchange federation for hybrid deployment. TXT record 1:    For example, contoso.com and associated custom-generated, domain-proof hash text (for example, Y96nu89138789315669824)

TXT record 2: For example, exchangedelegation.contoso.com and associated custom-generated, domain-proof hash text (for example, Y3259071352452626169)

CNAME

(Exchange federation)

Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service when your company is using Exchange federation. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for your users. Alias: For example, Autodiscover.service.contoso.com

Target:   autodiscover.outlook.com

External DNS records required for Skype for Business Online

There are specific steps to take when you set up your network for Skype for Business Online to make sure your network configured correctly.

DNS record Purpose Value to use
SRV

(Skype for Business Online)

Allows your Office 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation. Read more about Skype networking. Service:   _sipfederationtls

Protocol:    _TCP

Priority:    100

Weight:    1

Port:    5061

Target:   Sipfed.online.lync.com

Note: If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record.

SRV

(Skype for Business Online)

Used by Skype for Business to coordinate the flow of information between Lync clients. Service:   _sip

Protocol:   _TLS

Priority:    100

Weight:    1

Port:    443

Target:   sipdir.online.lync.com

CNAME

(Skype for Business Online)

Used by the Lync client to help find the Skype for Business Online service and sign in. Alias:   sip

Target:   sipdir.online.lync.com

For more information, see Set up your network for Skype for Business Online.

CNAME

(Skype for Business Online)

Used by the Lync mobile client to help find the Skype for Business Online service and sign in. Alias:   lyncdiscover

Target:   webdir.online.lync.com

External DNS records required for SharePoint Online

SharePoint Online only requires a DNS record if your organization usesSharePoint Online to send email to people externally. In this case, make sure you’ve set up an SPF record so the mail can be delivered.

External DNS records required for Office 365 Single Sign-On

DNS record Purpose Value to use
Host (A) Used for single sign-on (SSO). It provides the endpoint for your off-premises users (and on-premises users, if you like) to connect to your Active Directory Federation Services (AD FS) federation server proxies or load-balanced virtual IP (VIP). Target: For example, sts.contoso.com

External DNS records required for SPF

Important: SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Office 365. To get started, see Use DKIM to validate outbound email sent from your domain in Office 365. Next, see Use DMARC to validate email in Office 365.

SPF records are TXT records that help to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain.

You can only have one SPF record (that is, a TXT record that defines SPF) for your domain. That single record can have a few different inclusions but the total DNS lookups that result can’t be more than 10 (this helps prevent denial of service attacks). See the table and other examples below to help you create or update the right SPF record values for your environment.

Structure of an SPF record

All SPF records contain three parts: the declaration that it is an SPF record, the domains, and IP addresses that should be sending email, and an enforcement rule. You need all three in a valid SPF record. Here’s an example of a common SPF record for Office 365 when you use only Exchange Online email:

TXT Name @ 
Values: v=spf1 include:spf.protection.outlook.com -all

An email system that receives an email from your domain looks at the SPF record, and if the email server that sent the message was an Office 365 server, the message is accepted. If the server that sent the message was your old mail system or a malicious system on the Internet, for example, the SPF check might fail and the message wouldn’t be delivered. Checks like this help prevents spoofing and phishing messages.

Choose the SPF record structure you need

For scenarios where you’re not just using Exchange Online email for Office 365 (for example, when you use email originating from SharePoint Online as well), use the following table to determine what to include in the value of the record.

Note: If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you’ll have a more detailed SPF record to set up. Learn how: Set up SPF records in Office 365 to help prevent spoofing. You can also learn much more about how SPF works with Office 365 by reading How Office 365 uses Sender Policy Framework (SPF) to help prevent spoofing.

If you’re using… Purpose Add these includes
1 All email systems (required) All SPF records start with this value v=spf1
2 Exchange Online (common) Use with just Exchange Online include:spf.protection.outlook.com
3 SharePoint Online and Exchange Online (common) Use with Exchange Online and SharePoint Online include:sharepointonline.com
4 Third party email system (less common) include:<email system like mail.contoso.com>
5 On-premises mail system (less common) Use if you’re using Exchange Online Protection or Exchange Online plus another mail system ip4:<0.0.0.0>

ip6:< : : >

include:<mail.contoso.com>

The value in brackets (<>) should be other mail systems that will send email for your domain.

6 All email systems (required) -all

Example: Adding to an existing SPF record

If you already have an SPF record, you’ll need to add or update values for Office 365. For example, say your existing SPF record for contoso.com is this:

TXT Name @
Values: v=spf1 ip4:60.200.100.30 include:spf.protection.outlook.com –all

Now you’re updating your SPF record for Office 365, for example, to include email that originates from SharePoint Online. You’ll edit your current record so you have a single SPF record that includes the values that you need. For Office 365, “sharepointonline.com” in an SPF record includes email from both Exchange Online (Outlook) and SharePoint Online, so you replace the original “spf.protection.outlook.com” value.

Correct:

TXT Name @
Values: v=spf1 ip4:60.200.100.30 include:sharepointonline.com –all

Incorrect:

Record 1:
TXT Name @
Values: v=spf1 ip4:60.200.100.30 include:spf.protection.outlook.com –all
Record 2:
Values: v=spf1 include:sharepointonline.com –all

More examples of common SPF values

If you are using the full Office 365 suite and are using MailChimp to send marketing emails on your behalf, your SPF record at contoso.com might look like the following, which uses rows 1, 3, 4, and 6 from the table above. Remember, rows 1 and 6 are required, and “sharepointonline.com” includes both Exchange (Outlook) and SharePoint email.

TXT Name @ 
Values: v=spf1 include:sharepointonline.com include:servers.mcsv.net -all

Alternatively, if you have an Exchange Hybrid configuration where email will be sent from both Office 365 and your on-premises mail system, your SPF record at contoso.com might look like this:

TXT Name @ 
Values: v=spf1 include:sharepointonline.com include:mail.contoso.com -all

These are some common examples that can help you adapt your existing SPF record when you add your domain to Office 365 for email. If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you’ll have a more detailed SPF record to set up. Learn how: Set up SPF records in Office 365 to help prevent spoofing.