External Domain Name System records for Office 365
The sections below are organized by service in Office 365. To see a customized list of the Office 365 DNS records for your domain, sign in to Office 365 and find the specific info you need to create records for your domain.
External DNS records required for Office 365 (core services)
Every Office 365 customer needs to add two records to their external DNS. The first CNAME record ensures that Office 365 can direct workstations to authenticate with the appropriate identity platform. The second required record is to prove you own your domain name.
DNS record | Purpose | Value to use |
CNAME
(Suite) |
Used by Office 365 to direct authentication to the correct identity platform. More Information | Alias: msoid
Target: clientconfig.microsoftonline-p.net |
TXT
(Domain verification) |
Used by Office 365 to verify only that you own your domain. It doesn’t affect anything else. | Host: @ (or, for some DNS hosting providers, your domain name)
TXT Value: A text string provided by Office 365 The Office 365 domain setup wizard provides the values that you use to create this record. |
External DNS records required for email in Office 365 (Exchange Online)
Email in Office 365 requires several different records. The three primary records that all customers should use are the Autodiscover, MX, and SPF records.
- The Autodiscover record allows client computers to automatically find Exchange and configure the client properly.
- The MX record tells other mail systems where to send email for your domain. When you change your email to Office 365, by updating your domain’s MX record, ALL email sent to that domain will start coming to Office 365. (Do you just want to switch a few email addresses to Office 365? You can take steps to pilot Office 365 with just a few email addresses instead.)
- The TXT record for SPF is used by recipient email systems to validate that the server sending your email is one that you approve. This helps prevent problems like email spoofing and phishing. See the SPF records section in this article for help understanding what to include in your record.
Email customers who are using Exchange Federation will also need the additional CNAME and TXT record listed at the bottom of the table.
DNS record | Purpose | Value to use |
CNAME
(Exchange Online) |
Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for users. | Alias: Autodiscover
Target: autodiscover.outlook.com |
MX
(Exchange Online) |
Sends incoming mail for your domain to the Exchange Online service in Office 365.
Note: Once email is flowing to Exchange Online, you should remove the MX records that are pointing to your old system. |
Domain: For example, contoso.com
Target email server: <MX token>.mail.protection.outlook.com Preference/Priority: lower than any other MX records (this ensures mail is delivered to Exchange Online) – for example 1 or ‘low’ Find your <MX token> by following these steps:
|
SPF (TXT)
(Exchange Online) |
Helps to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain. | DNS records required for SPF |
TXT
(Exchange federation) |
Used for Exchange federation for hybrid deployment. | TXT record 1: For example, contoso.com and associated custom-generated, domain-proof hash text (for example, Y96nu89138789315669824)
TXT record 2: For example, exchangedelegation.contoso.com and associated custom-generated, domain-proof hash text (for example, Y3259071352452626169) |
CNAME
(Exchange federation) |
Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service when your company is using Exchange federation. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for your users. | Alias: For example, Autodiscover.service.contoso.com
Target: autodiscover.outlook.com |
External DNS records required for Skype for Business Online
There are specific steps to take when you set up your network for Skype for Business Online to make sure your network configured correctly.
DNS record | Purpose | Value to use |
SRV
(Skype for Business Online) |
Allows your Office 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation. Read more about Skype networking. | Service: _sipfederationtls
Protocol: _TCP Priority: 100 Weight: 1 Port: 5061 Target: Sipfed.online.lync.com Note: If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record. |
SRV
(Skype for Business Online) |
Used by Skype for Business to coordinate the flow of information between Lync clients. | Service: _sip
Protocol: _TLS Priority: 100 Weight: 1 Port: 443 Target: sipdir.online.lync.com |
CNAME
(Skype for Business Online) |
Used by the Lync client to help find the Skype for Business Online service and sign in. | Alias: sip
Target: sipdir.online.lync.com For more information, see Set up your network for Skype for Business Online. |
CNAME
(Skype for Business Online) |
Used by the Lync mobile client to help find the Skype for Business Online service and sign in. | Alias: lyncdiscover
Target: webdir.online.lync.com |
External DNS records required for SharePoint Online
SharePoint Online only requires a DNS record if your organization usesSharePoint Online to send email to people externally. In this case, make sure you’ve set up an SPF record so the mail can be delivered.
External DNS records required for Office 365 Single Sign-On
DNS record | Purpose | Value to use |
Host (A) | Used for single sign-on (SSO). It provides the endpoint for your off-premises users (and on-premises users, if you like) to connect to your Active Directory Federation Services (AD FS) federation server proxies or load-balanced virtual IP (VIP). | Target: For example, sts.contoso.com |
External DNS records required for SPF
Important: SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. In order to protect against these, once you have set up SPF, you should also configure DKIM and DMARC for Office 365. To get started, see Use DKIM to validate outbound email sent from your domain in Office 365. Next, see Use DMARC to validate email in Office 365.
SPF records are TXT records that help to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain.
You can only have one SPF record (that is, a TXT record that defines SPF) for your domain. That single record can have a few different inclusions but the total DNS lookups that result can’t be more than 10 (this helps prevent denial of service attacks). See the table and other examples below to help you create or update the right SPF record values for your environment.
Structure of an SPF record
All SPF records contain three parts: the declaration that it is an SPF record, the domains, and IP addresses that should be sending email, and an enforcement rule. You need all three in a valid SPF record. Here’s an example of a common SPF record for Office 365 when you use only Exchange Online email:
TXT Name @ Values: v=spf1 include:spf.protection.outlook.com -all
An email system that receives an email from your domain looks at the SPF record, and if the email server that sent the message was an Office 365 server, the message is accepted. If the server that sent the message was your old mail system or a malicious system on the Internet, for example, the SPF check might fail and the message wouldn’t be delivered. Checks like this help prevents spoofing and phishing messages.
Choose the SPF record structure you need
For scenarios where you’re not just using Exchange Online email for Office 365 (for example, when you use email originating from SharePoint Online as well), use the following table to determine what to include in the value of the record.
Note: If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you’ll have a more detailed SPF record to set up. Learn how: Set up SPF records in Office 365 to help prevent spoofing. You can also learn much more about how SPF works with Office 365 by reading How Office 365 uses Sender Policy Framework (SPF) to help prevent spoofing.
If you’re using… | Purpose | Add these includes | |
1 | All email systems (required) | All SPF records start with this value | v=spf1 |
2 | Exchange Online (common) | Use with just Exchange Online | include:spf.protection.outlook.com |
3 | SharePoint Online and Exchange Online (common) | Use with Exchange Online and SharePoint Online | include:sharepointonline.com |
4 | Third party email system (less common) | include:<email system like mail.contoso.com> | |
5 | On-premises mail system (less common) | Use if you’re using Exchange Online Protection or Exchange Online plus another mail system | ip4:<0.0.0.0>
ip6:< : : > include:<mail.contoso.com> The value in brackets (<>) should be other mail systems that will send email for your domain. |
6 | All email systems (required) | -all |
Example: Adding to an existing SPF record
If you already have an SPF record, you’ll need to add or update values for Office 365. For example, say your existing SPF record for contoso.com is this:
TXT Name @ Values: v=spf1 ip4:60.200.100.30 include:spf.protection.outlook.com –all
Now you’re updating your SPF record for Office 365, for example, to include email that originates from SharePoint Online. You’ll edit your current record so you have a single SPF record that includes the values that you need. For Office 365, “sharepointonline.com” in an SPF record includes email from both Exchange Online (Outlook) and SharePoint Online, so you replace the original “spf.protection.outlook.com” value.
Correct:
TXT Name @ Values: v=spf1 ip4:60.200.100.30 include:sharepointonline.com –all
Incorrect:
Record 1: TXT Name @ Values: v=spf1 ip4:60.200.100.30 include:spf.protection.outlook.com –all Record 2: Values: v=spf1 include:sharepointonline.com –all
More examples of common SPF values
If you are using the full Office 365 suite and are using MailChimp to send marketing emails on your behalf, your SPF record at contoso.com might look like the following, which uses rows 1, 3, 4, and 6 from the table above. Remember, rows 1 and 6 are required, and “sharepointonline.com” includes both Exchange (Outlook) and SharePoint email.
TXT Name @ Values: v=spf1 include:sharepointonline.com include:servers.mcsv.net -all
Alternatively, if you have an Exchange Hybrid configuration where email will be sent from both Office 365 and your on-premises mail system, your SPF record at contoso.com might look like this:
TXT Name @ Values: v=spf1 include:sharepointonline.com include:mail.contoso.com -all
These are some common examples that can help you adapt your existing SPF record when you add your domain to Office 365 for email. If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you’ll have a more detailed SPF record to set up. Learn how: Set up SPF records in Office 365 to help prevent spoofing.