What DNS Records Should Be for Office 365?

What DNS Records Should Be for Office 365?

To send and receive email through Microsoft Office 365 (Microsoft 365), you need to add Microsoft's servers to your SPF record using include:spf.protection.outlook.com, add Microsoft's DKIM record at selector1._domainkey.yourdomain.com, configure DMARC, and set MX records to Office 365 mail servers. These DNS records authenticate emails and ensure proper email delivery through Office 365.

Quick Answer

For Office 365, add include:spf.protection.outlook.com to your SPF record, add Microsoft's DKIM record at selector1._domainkey.yourdomain.com, configure DMARC, and set MX records to Office 365 mail servers (yourdomain-com.mail.protection.outlook.com). These records authenticate emails and ensure proper delivery.

Understanding Office 365 DNS Records

Microsoft Office 365 (Microsoft 365) is a business email and productivity suite that handles both sending and receiving email for your domain. To ensure emails are properly authenticated and achieve maximum deliverability, you need to configure specific DNS records that authorize Microsoft's servers and verify email authenticity.

Required DNS Records for Office 365

1. SPF Record (Sender Policy Framework)

What it does: The SPF record authorizes Microsoft's mail servers to send email on behalf of your domain. Without this, receiving servers may reject or filter emails sent through Office 365.

How to configure:

1. Log into your DNS provider's dashboard (where you manage your domain)
2. Find your existing SPF record (TXT record for your domain)
3. Add Microsoft's include statement to your SPF record

Example SPF record with Office 365:

If you only use Office 365:

v=spf1 include:spf.protection.outlook.com ~all

If you use Office 365 with other services (like Mailchimp):

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ~all

Important notes:

• You can only have one SPF record per domain
• If you already have an SPF record, add include:spf.protection.outlook.com to it
• Don't create a new SPF record—modify your existing one
• The ~all at the end means "soft fail" for unauthorized servers

2. DKIM Record (DomainKeys Identified Mail)

What it does: DKIM adds a digital signature to emails sent through Office 365, proving they're authentic and haven't been tampered with during transit.

How to configure:

1. Log into Microsoft 365 admin center
2. Go to Settings → Domains → Select your domain → DNS records
3. Navigate to DKIM section
4. Enable DKIM for your domain
5. Microsoft will provide you with DKIM records (TXT records)
6. Add these records to your DNS at the locations Microsoft specifies (typically selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com)

Example DKIM record format:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Important notes:

• Microsoft provides two DKIM selectors (selector1 and selector2) for redundancy
• Microsoft provides the exact DKIM record values—copy them exactly
• The records must be added at the exact subdomains Microsoft specifies
• Wait for DNS propagation (1-4 hours) before Microsoft can verify them
• Microsoft will verify the records are correctly configured in the admin center

3. DMARC Record (Domain-based Message Authentication, Reporting & Conformance)

What it does: DMARC tells receiving servers how to handle emails that fail SPF or DKIM authentication and provides reporting on email authentication performance.

How to configure:

1. Create a DMARC record at _dmarc.yourdomain.com (TXT record)
2. Start with a monitoring policy (p=none) to see how your emails are performing
3. Gradually move to stricter policies (p=quarantine or p=reject) after monitoring

Example DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1

Important notes:

• Start with p=none to monitor without affecting delivery
• Set rua= to an email address where you want aggregate reports
• Set ruf= to an email address for forensic reports (optional)
• After monitoring for a few weeks, consider moving to p=quarantine or p=reject

4. MX Records (Mail Exchange)

What it does: MX records specify which mail servers are responsible for receiving email messages for your domain. For Office 365, these must point to Microsoft's mail servers.

How to configure:

1. Log into your DNS provider's dashboard
2. Remove or update any existing MX records
3. Add Office 365 MX record with priority 0

Office 365 MX Record:

The MX record format for Office 365 is:

Priority 0: yourdomain-com.mail.protection.outlook.com

Important notes:

• The hostname format is yourdomain-com.mail.protection.outlook.com (replace yourdomain with your actual domain, and hyphens replace dots)
• Only one MX record is needed for Office 365
• Remove any old MX records pointing to other mail servers
• This record is essential for receiving email through Office 365

Step-by-Step Setup Guide

Step 1: Set Up Office 365

1. Sign up for Microsoft 365 or log into your existing account
2. Add your domain to Office 365
3. Verify domain ownership through Microsoft's verification process
4. Complete the Office 365 setup wizard

Step 2: Update Your SPF Record

1. Log into your DNS provider's dashboard
2. Find your existing SPF record (TXT record for your domain)
3. If you don't have an SPF record, create one:

   v=spf1 include:spf.protection.outlook.com ~all
   

4. If you already have an SPF record, add Office 365 to it:

   v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ~all
   

5. Save the changes

Step 3: Add DKIM Records

1. Log into Microsoft 365 admin center
2. Navigate to Settings → Domains → Select your domain → DNS records
3. Go to DKIM section
4. Click Enable for DKIM
5. Microsoft will provide you with two DKIM selectors (selector1 and selector2)
6. Copy the DKIM record values provided by Microsoft
7. In your DNS provider's dashboard, create new TXT records for each selector
8. Set the hostname/subdomain to what Microsoft specifies (typically selector1._domainkey and selector2._domainkey)
9. Paste each DKIM record value exactly as provided
10. Save both records
11. Return to Microsoft 365 admin center and verify the records

Step 4: Configure MX Records

1. In your DNS provider's dashboard, remove any existing MX records
2. Add the Office 365 MX record:
   • Priority: 0
   • Hostname: yourdomain-com.mail.protection.outlook.com (replace yourdomain with your actual domain)
3. Save the MX record

Note: The hostname format uses hyphens instead of dots. For example, if your domain is example.com, the MX record hostname would be example-com.mail.protection.outlook.com.

Step 5: Configure DMARC (Recommended)

1. In your DNS provider's dashboard, create a new TXT record
2. Set the hostname to _dmarc
3. Add the DMARC record value:

   v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
   

4. Replace dmarc@yourdomain.com with your email address
5. Save the record

Step 6: Verify Configuration

1. Wait 1-4 hours for DNS propagation
2. Check Microsoft 365 admin center for DNS record status
3. Use MailMoxie's DNS Record Checker to verify all records are present
4. Send a test email to verify both sending and receiving work

Common Configuration Scenarios

Scenario 1: Office 365 Only

If you only use Office 365 for email:

SPF:

v=spf1 include:spf.protection.outlook.com ~all

DKIM: Use Microsoft's provided records (selector1 and selector2)

DMARC:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

MX Record: yourdomain-com.mail.protection.outlook.com (Priority 0)

Scenario 2: Office 365 + Marketing Services

If you use Office 365 for business email and other services (Mailchimp, SendGrid) for marketing:

SPF:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:sendgrid.net ~all

DKIM: Add Microsoft's DKIM and DKIM records from other services

DMARC:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

MX Record: yourdomain-com.mail.protection.outlook.com (Priority 0) - for receiving email

Verifying Your Configuration

After adding DNS records, verify they're working correctly:

1. Use MailMoxie's DNS Record Checker: Enter your domain to see all DNS records
2. Check Microsoft 365 Admin Center: Verify SPF, DKIM, and MX record status
3. Send a test email: Send a test email and check the authentication headers
4. Receive a test email: Have someone send you an email to verify MX records work
5. Review DMARC reports: Check your DMARC report email for authentication statistics

Common Questions

Q: Do I need to add Office 365 to my SPF record if I already have other services?

A: Yes, you need to add include:spf.protection.outlook.com to your existing SPF record. You can only have one SPF record per domain, so combine all services using multiple include: statements.

Q: How long does it take for DNS records to work with Office 365?

A: DNS changes typically take 1-4 hours to propagate, but can take up to 48 hours. After adding records, wait a few hours before verifying in Microsoft 365 admin center.

Q: Can I use Office 365 without adding DNS records?

A: No, DNS records are required for Office 365 to function properly. Without MX records, you can't receive email. Without SPF and DKIM, your emails may be filtered into spam.

Q: What if Microsoft can't verify my DKIM records?

A: Double-check that you copied the DKIM records exactly as provided by Microsoft, including the subdomains selector1._domainkey and selector2._domainkey. Make sure you added both selectors. Wait for DNS propagation and try verifying again. Use MailMoxie's DNS Record Checker to confirm the records are present.

Q: Do I need DMARC for Office 365?

A: DMARC is highly recommended but not strictly required. It provides additional authentication and reporting that helps improve deliverability and protect your domain from spoofing.

Q: What happens if I have multiple SPF records?

A: Having multiple SPF records will cause authentication failures. You must combine all services into a single SPF record using multiple include: statements.

Q: Can I use Office 365 with other email providers?

A: You can use Office 365 alongside marketing email services (Mailchimp, SendGrid), but you should use Office 365 MX records for receiving email. Add other services to your SPF record using include: statements.

Q: How do I know if my Office 365 DNS records are working?

A: Check Microsoft 365 admin center for DNS record status. You can also send a test email and check the email headers for SPF and DKIM pass results. Verify MX records by having someone send you an email.

Q: What if I'm using a subdomain for Office 365?

A: If you're using a subdomain (e.g., mail.yourdomain.com), add the DNS records to that subdomain instead of your main domain. Office 365 supports subdomain configuration.

Q: Can I keep my old email provider's MX records?

A: No, you should remove old MX records and use only Office 365 MX records. Having multiple sets of MX records can cause email delivery issues.

Q: Why does the MX record hostname use hyphens instead of dots?

A: Microsoft uses a specific format where dots in your domain name are replaced with hyphens in the MX record hostname. For example, example.com becomes example-com.mail.protection.outlook.com. This is Microsoft's standard format.

Key Takeaways

• Add include:spf.protection.outlook.com to your SPF record to authorize Microsoft's mail servers
• Add Microsoft's DKIM records at selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com
• Configure DMARC for additional authentication and reporting
• Set MX record to yourdomain-com.mail.protection.outlook.com (Priority 0) for proper email delivery
• You can only have one SPF record—combine all services using multiple include: statements
• Wait 1-4 hours for DNS propagation before verifying in Microsoft 365 admin center
• Use MailMoxie's DNS Record Checker to verify all records are configured correctly
• Proper DNS configuration is essential for Office 365 email functionality and deliverability
• Start with DMARC policy p=none to monitor, then gradually move to stricter policies