Although all of the services are accessed via http://portal.office.com, mail flow and other services require records in the DNS zone


Note: If you want to verify NS server propagation please check here: https://www.whatsmydns.net/#NS/your-domain.co.uk


Step 1: Will will provide you with a TXT record to add to the domain, a unique number in the format "MS=ms12345678". Once this has been added Microsoft are able to verify that you are in control (own) the domain.

Step 2: We will provide you with a list of the other DNS zone records to add. In most case they will be identical to the list below.


Notes

The MX record will usually be in the form "YOURDOMAIN-ID.mail.protection.outlook.com", with your unique email domain ID inserted; usually similar to your domain name; we will advise you of this.

For the selector CNAME entries "YOURDOMAIN-ID" will be replaced as the above MX record too. "YOURDOMAINTAG" will be replaced with your unique TAG, usually similar to your domain name but containing no dots or special characters; we will advise you of this.These CNAME entries are used for Domain Key signing of outgoing email messages (DKIM). The "Protocol" _domainkey is a sub-domain, as are _tls and _tcp.

The TXT record _dmarc must only be added after DKIM has been enabled within the Office 365 Exchange Admin portal; adding the _dmarc record without DKIM will result in all outbound mail being rejected! (The TXT record _dmarc is not a subdomain)

For more details on DKIM & DMARC, see the end of this article.


TTL: recommended value is 3600 on all records ("W*" = Weight, "P*"=Priority)


Type

Service

Protocol

Port

W*

P*

Hostname/Name

Target address/value









Initial TXT record to prove ownership of domain
TXT
 
 
 
 
 
@
 MS=ms12345678
(auto-generated)

 
 
 
 
 
 
 
 
Exchange email services
MX




0
@
YOURDOMAIN-ID.
mail.protection.outlook.com
TXT





@
v=spf1 include:
spf.protection.outlook.com
 -all
CNAME





autodiscover
autodiscover.outlook.com
CNAME

_domainkey



selector1
selector1-YOURDOMAIN-ID.
_domainkey.Y
OURDOMAINTAG.
onmicrosoft.com
CNAME
 
_domainkey
 
 
 
selector2
selector2-YOURDOMAIN-ID.
_domainkey.Y
OURDOMAINTAG.
onmicrosoft.com
TXT
 
 
 
 
 
 _dmarc
v=DMARC1; pct=100; p=reject
 
 
 
 
 
 
 
 
Skype for Business
CNAME





sip
sipdir.online.lync.com
CNAME





lyncdiscover
webdir.online.lync.com
SRV
_sip
_tls
443
1
100
@
sipdir.online.lync.com
SRV
_sipfederationtls
_tcp
5061
1
100
@
sipfed.online.lync.com








Mobile Device Management for Office 365
CNAME





enterpriseregistration
enterpriseregistration.
windows.net
CNAME





enterpriseenrollment
enterpriseenrollment.
manage.microsoft.com








Additional Office 365 records
CNAME





msoid
clientconfig.
microsoftonline-p.net


























DKIM and DMARC

Outbound emails can be automatically signed using DKIM. https://technet.microsoft.com/en-gb/library/mt695945(v=exchg.150).aspx


*** If using a hybrid scenario, such as sending from office email servers or 3rd party web servers, you may encounter problems with DMARC verification. In hybrid scenarios, begin with the DKIM and DMARC records RENAMED (X_dmarc | X_selector1) in the DNS zone and add them later once you've fully tested all outgoing mail servers ***


This is enabled from within the Exchange Admin area here: ( > Protection > dkim )



Administrator note: DKIM can also be enabled from PowerShell:

See https://internetservices.freshdesk.com/solution/articles/5000513933-connect-to-exchange-online-via-powershell

 

New-DkimSigningConfig –DomainName "yourdomainname.com" –Enabled $true
Get-DkimSigningConfig -Identity yourdomainname.com | Format-List

 

How do I locate and add the DKIM keys to the DNS zone?

Go to Office 365 Admin > Setup > Domains > (click the *.onmicrosoft.com domain).

1.Note the tenant domain (the part before .onmicrosoft.com - example: customerABC1.onmicrosoft.com)

2.Also note the MX record subdomain (the part before .mail.protection.outlook.com - example: customerabc-com.mail.protection.outlook.com)

If the DNS zone is hosted outside of Office 365, create a subdomain _domainkey:

Add the CNAME records to the _domainkey subdomain:

    selector1

    selector2

...using the values (CNAME point to) formatted as follows: selector1-subdomain._domainkey.tenantdomain.onmicrosoft.com

Example values to add:

    selector1-customerabc-com._domainkey.customerabc1.onmicrosoft.com

    selector2-customerabc-com._domainkey.customerabc1.onmicrosoft.com

If the DNS zone is hosted inside of Office 365, on Microsoft's DNS servers, then proceed as follows:

Add 2 CNAMES: selector1._domainkey & selector2._domainkey (this is the method of adding 'subdomains' to Microsoft's DNS)

(pointing to the same as above. Example: selector1-customerabc-com._domainkey.customerabc1.onmicrosoft.com)


Test the DNS records for DKIM compliance using the tool below (https://testconnectivity.microsoft.com)

Enable using Exchange admin center above.


DMARC: Before adding the _dmarc TXT record it is vital that you send a test email to an external email address, and then Copy & Paste the headers into the Message Analyzer at https://testconnectivity.microsoft.com tool. Make sure that you see the "DKIM=pass" as in the image below. Once this has passed, then go ahead and add the TXT record _dmarc to the DNS zone. Having both DKIM and DMARC enabled for all outbound messages will add protection and authenticity to your emails, and prevent spoofing of your domain's email.

Official DMARC enablement article: https://technet.microsoft.com/en-us/library/mt734386(v=exchg.150).aspx




[End of article]