External Domain Name Arrangement records for Office 365

  • Article
  • 9 minutes to read

Domain.

Want to see a customized list of DNS records for your Office 365 organization? You tin discover the info you need to create Function 365 DNS records for your domain in Office 365.

Need step-by-step help to add together these records at your domain'due south DNS host, such every bit GoDaddy or eNom? Find links to stride-past-step instructions for many popular DNS hosts.

Sticking around to use the reference list for your own custom deployment? The below listing should be used as a reference for your custom Office 365 deployment. You lot will need to select which records utilise to your organization and fill in the advisable values.

Go back to Network planning and operation tuning for Office 365.

Often the SPF and MX records are the hardest to figure out. We've updated our SPF records guidance at the end of this article. The important thing to think is that you can only have a single SPF record for your domain. You lot can have multiple MX records; however, that tin can cause problems for postal service delivery. Having a single MX record that directs e-mail to 1 post arrangement removes many potential problems.

The sections below are organized by service in Office 365. To see a customized list of the Office 365 DNS records for your domain, sign in to Part 365 and Gather the data you need to create Function 365 DNS records.

External DNS records required for Office 365 (core services)

Every Function 365 customer needs to add two records to their external DNS. The showtime CNAME tape ensures that Office 365 can direct workstations to authenticate with the appropriate identity platform. The second required record is to prove you ain your domain proper name.

DNS record
Purpose
Value to use
CNAME
(Suite)
Used by Office 365 to direct hallmark to the correct identity platform. More data
Note: This CNAME but applies to Function 365 operated by 21Vianet. If present and your Office 365 is not operated by 21Vianet, users on your custom domain will get a "custom domain isn't in our system" error and won't be able to activate their Office 365 license. More data		 Alias: msoid
Target: clientconfig.partner.microsoftonline-p.internet.cn
TXT
(Domain verification)
Used by Office 365 to verify but that you own your domain. It doesn't affect anything else.
Host: @ (or, for some DNS hosting providers, your domain name)
TXT Value: A text string provided past Office 365
The Office 365 domain setup sorcerer provides the values that you use to create this tape.

External DNS records required for e-mail in Office 365 (Exchange Online)

E-mail in Office 365 requires several unlike records. The 3 principal records that all customers should use are the Autodiscover, MX, and SPF records.

  • The Autodiscover tape allows client computers to automatically detect Commutation and configure the client properly.

  • The MX record tells other mail systems where to transport email for your domain. Note: When y'all change your email to Office 365, by updating your domain's MX record, ALL email sent to that domain will start coming to Function 365.
    Do you just want to switch a few email addresses to Office 365? You can Pilot Office 365 with a few email addresses on your custom domain.

  • The TXT record for SPF is used by recipient e-mail systems to validate that the server sending your electronic mail is one that you approve. This helps prevent issues similar email spoofing and phishing. Run across the External DNS records required for SPF in this article to help you empathise what to include in your tape.

Email customers who are using Exchange Federation will likewise need the additional CNAME and TXT tape listed at the bottom of the table.

DNS tape
Purpose
Value to employ
CNAME
(Exchange Online)
Helps Outlook clients to easily connect to the Substitution Online service by using the Autodiscover service. Autodiscover automatically finds the right Substitution Server host and configures Outlook for users.
Alias: Autodiscover
Target: autodiscover.outlook.com
MX
(Commutation Online)
Sends incoming postal service for your domain to the Substitution Online service in Office 365.
Note: In one case email is flowing to Exchange Online, you lot should remove the MX records that are pointing to your old system.		 Domain: For example, contoso.com
Target email server:<MX token>.post.protection.outlook.com
Preference/Priority: Lower than whatsoever other MX records (this ensures mail is delivered to Exchange Online) - for example 1 or 'low'
Find your <MX token> by post-obit these steps:
Sign in to Function 365, become to Office 365 admin > Domains.
In the Activeness column for your domain, choose Gear up issues.
In the MX records section, cull What do I ready?
Follow the directions on this page to update your MX record.
What is MX priority?
SPF (TXT)
(Substitution Online)
Helps to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to ship electronic mail from your domain.
External DNS records required for SPF
TXT
(Substitution federation)
Used for Commutation federation for hybrid deployment.
TXT record one: For example, contoso.com and associated custom-generated, domain-proof hash text (for example, Y96nu89138789315669824)
TXT tape two: For case, exchangedelegation.contoso.com and associated custom-generated, domain-proof hash text (for example, Y3259071352452626169)
CNAME
(Exchange federation)
Helps Outlook clients to easily connect to the Exchange Online service past using the Autodiscover service when your company is using Exchange federation. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for your users.
Alias: For example, Autodiscover.service.contoso.com
Target: autodiscover.outlook.com

External DNS records required for Skype for Business Online

At that place are specific steps to have when y'all use Office 365 URLs and IP address ranges to make sure your network is configured correctly.

Note

These DNS records likewise apply to Teams, especially in a hybrid Teams and Skype for Concern scenario, where certain federation issues could arise.

DNS record
Purpose
Value to utilize
SRV
(Skype for Business concern Online)
Allows your Role 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation. Read more than nigh Office 365 URLs and IP address ranges.
Service: sipfederationtls
Protocol: TCP
Priority: 100
Weight: 1
Port: 5061
Target: sipfed.online.lync.com
Notation: If the firewall or proxy server blocks SRV lookups on an external DNS, you should add together this record to the internal DNS record.
SRV
(Skype for Business organization Online)
Used past Skype for Business to coordinate the flow of information between Lync clients.
Service: sip
Protocol: TLS
Priority: 100
Weight: 1
Port: 443
Target: sipdir.online.lync.com
CNAME
(Skype for Business Online)
Used by the Lync customer to help observe the Skype for Business Online service and sign in.
Allonym: sip
Target: sipdir.online.lync.com
For more than information, see Part 365 URLs and IP address ranges.
CNAME
(Skype for Business Online)
Used by the Lync mobile client to assist observe the Skype for Business Online service and sign in.
Allonym: lyncdiscover
Target: webdir.online.lync.com

External DNS records required for Office 365 Unmarried Sign-On

DNS record
Purpose
Value to use
Host (A)
Used for unmarried sign-on (SSO). Information technology provides the endpoint for your off-premises users (and on-premises users, if you like) to connect to your Agile Directory Federation Services (AD FS) federation server proxies or load-balanced virtual IP (VIP).
Target: For instance, sts.contoso.com

External DNS records required for SPF

SPF records are TXT records that help to prevent other people from using your domain to ship spam or other malicious email. Sender policy framework (SPF) records work past identifying the servers that are authorized to transport email from your domain.

You tin but have one SPF record (that is, a TXT record that defines SPF) for your domain. That single record tin can have a few different inclusions but the total DNS lookups that result tin can't exist more than 10 (this helps prevent deprival of service attacks). See the table and other examples beneath to help yous create or update the right SPF tape values for your environs.

Structure of an SPF record

All SPF records contain three parts: the announcement that it is an SPF record, the domains, and IP addresses that should be sending e-mail, and an enforcement dominion. You need all three in a valid SPF record. Here'southward an example of a common SPF record for Office 365 when you use but Substitution Online email:

              TXT Name @ Values: v=spf1 include:spf.protection.outlook.com -all

An e-mail organization that receives an email from your domain looks at the SPF record, and if the email server that sent the message was an Office 365 server, the bulletin is accepted. If the server that sent the message was your one-time mail organization or a malicious organisation on the Cyberspace, for example, the SPF cheque might neglect and the message wouldn't be delivered. Checks like this help to foreclose spoofing and phishing messages.

Choose the SPF record structure you need

For scenarios where you lot're not only using Substitution Online electronic mail for Function 365 (for example, when you use email originating from SharePoint Online likewise), use the following table to determine what to include in the value of the record.

Number If you lot're using…
Purpose
Add these includes
ane
All email systems (required)
All SPF records beginning with this value
5=spf1
two
Exchange Online (common)
Use with just Exchange Online
include:spf.protection.outlook.com
3
Third-party electronic mail system (less common)
include:<electronic mail organisation like mail.contoso.com>
four
On-bounds mail system (less common)
Use if you're using Exchange Online Protection or Exchange Online plus some other postal service system
ip4:<0.0.0.0>
ip6:< : : >
include:<mail.contoso.com>
The value in brackets (<>) should exist other mail systems that will send e-mail for your domain.
5
All email systems (required)
-all

Instance: Adding to an existing SPF record

If you already have an SPF record, you'll need to add or update values for Office 365. For example, say your existing SPF record for contoso.com is this:

              TXT Name @ Values: v=spf1 ip4:60.200.100.30 include:smtp.adatum.com -all

Now you're updating your SPF record for Office 365. You'll edit your current record so you have an SPF tape that includes the values that y'all need. For Office 365, "spf.protection.outlook.com".

Right:

              TXT Proper noun @ Values: v=spf1 ip4:60.200.100.thirty include:spf.protection.outlook.com include:smtp.adatum.com -all

Incorrect:

              Record 1: TXT Proper noun @ Values: five=spf1 ip4:lx.200.100.thirty include:smtp.adatum.com -all Record two: Values: v=spf1 include:spf.protection.outlook.com -all

More examples of common SPF values

If y'all are using the full Role 365 suite and are using MailChimp to send marketing emails on your behalf, your SPF tape at contoso.com might look similar the following, which uses rows 1, 3, and 5 from the table above. Remember, rows 1 and 5 are required.

              TXT Proper noun @ Values: v=spf1 include:spf.protection.outlook.com include:servers.mcsv.internet -all

Alternatively, if you have an Exchange Hybrid configuration where email will exist sent from both Part 365 and your on-premises mail service arrangement, your SPF record at contoso.com might expect like this:

              TXT Name @ Values: 5=spf1 include:spf.protection.outlook.com include:mail.contoso.com -all

These are some common examples that can help you adapt your existing SPF record when you add your domain to Office 365 for email. If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you lot'll have a more detailed SPF record to ready up. Acquire how: Prepare up SPF records in Office 365 to assist foreclose spoofing.

Here'south a brusk link yous can use to come back: https://aka.ms/o365edns