Although all of the services are accessed via http://portal.office.com, mail flow and other services require records in the DNS zone
Note: If you want to verify NS server propagation please check here: https://www.whatsmydns.net/#NS/your-domain.co.uk
Step 1: Will will provide you with a TXT record to add to the domain, a unique number in the format "MS=ms12345678". Once this has been added Microsoft are able to verify that you are in control (own) the domain.
Step 2: We will provide you with a list of the other DNS zone records to add. In most case they will be identical to the list below.
The MX record will usually be in the form "YOURDOMAIN-ID.mail.protection.outlook.com", with your unique email domain ID inserted; usually similar to your domain name; we will advise you of this.
For the selector CNAME entries "YOURDOMAIN-ID" will be replaced as the above MX record too. "YOURDOMAINTAG" will be replaced with your unique TAG, usually similar to your domain name but containing no dots or special characters; we will advise you of this.These CNAME entries are used for Domain Key signing of outgoing email messages (DKIM). The "Protocol" _domainkey is a sub-domain, as are _tls and _tcp.
The TXT record _dmarc must only be added after DKIM has been enabled within the Office 365 Exchange Admin portal; adding the _dmarc record without DKIM will result in all outbound mail being rejected! (The TXT record _dmarc is not a subdomain)
For more details on DKIM & DMARC, see the end of this article.
TTL: recommended value is 3600 on all records ("W*" = Weight, "P*"=Priority)
|Initial TXT record to prove ownership of domain|
|TXT|| || || || || ||@|| MS=ms12345678|
| || || || || || || || |
|Exchange email services|
|CNAME|| ||_domainkey|| || || ||selector2||selector2-YOURDOMAIN-ID.|
|TXT|| || || || || || _dmarc||v=DMARC1; pct=100; p=reject|
| || || || || || || || |
|Skype for Business|
|Mobile Device Management for Office 365|
|Additional Office 365 records|
DKIM and DMARC
Outbound emails can be automatically signed using DKIM. https://technet.microsoft.com/en-gb/library/mt695945(v=exchg.150).aspx
*** If using a hybrid scenario, such as sending from office email servers or 3rd party web servers, you may encounter problems with DMARC verification. In hybrid scenarios, begin with the DKIM and DMARC records RENAMED (X_dmarc | X_selector1) in the DNS zone and add them later once you've fully tested all outgoing mail servers ***
This is enabled from within the Exchange Admin area here: ( > Protection > dkim )
Administrator note: DKIM can also be enabled from PowerShell:
New-DkimSigningConfig –DomainName "yourdomainname.com" –Enabled $true Get-DkimSigningConfig -Identity yourdomainname.com | Format-List
How do I locate and add the DKIM keys to the DNS zone?
Go to Office 365 Admin > Setup > Domains > (click the *.onmicrosoft.com domain).
1.Note the tenant domain (the part before .onmicrosoft.com - example: customerABC1.onmicrosoft.com)
2.Also note the MX record subdomain (the part before .mail.protection.outlook.com - example: customerabc-com.mail.protection.outlook.com)
If the DNS zone is hosted outside of Office 365, create a subdomain _domainkey:
Add the CNAME records to the _domainkey subdomain:
...using the values (CNAME point to) formatted as follows: selector1-subdomain._domainkey.tenantdomain.onmicrosoft.com
Example values to add:
If the DNS zone is hosted inside of Office 365, on Microsoft's DNS servers, then proceed as follows:
Add 2 CNAMES: selector1._domainkey & selector2._domainkey (this is the method of adding 'subdomains' to Microsoft's DNS)
(pointing to the same as above. Example: selector1-customerabc-com._domainkey.customerabc1.onmicrosoft.com)
Test the DNS records for DKIM compliance using the tool below (https://testconnectivity.microsoft.com)
Enable using Exchange admin center above.
DMARC: Before adding the _dmarc TXT record it is vital that you send a test email to an external email address, and then Copy & Paste the headers into the Message Analyzer at https://testconnectivity.microsoft.com tool. Make sure that you see the "DKIM=pass" as in the image below. Once this has passed, then go ahead and add the TXT record _dmarc to the DNS zone. Having both DKIM and DMARC enabled for all outbound messages will add protection and authenticity to your emails, and prevent spoofing of your domain's email.
Official DMARC enablement article: https://technet.microsoft.com/en-us/library/mt734386(v=exchg.150).aspx
[End of article]