Export (0) Print
Expand All

Reference: External Domain Name System records for Office 365

 

Applies to: Office 365 Enterprise

Topic Last Modified: 2015-03-31

Summary: Reference list of DNS records to use when planning an intricate Office 365 deployment.

ImportantImportant:
This article is moving, please update your bookmarks to External Domain Name System records for Office 365

Want to see a customized list of DNS records for your Office 365 organization? Check out the article Gather the information you need to create Office 365 DNS records.

Need step-by-step help adding these records to your DNS system such as GoDaddy or eNom? Check out the article Create DNS records for Office 365.

Sticking around to use the reference list for your own custom deployment? The below list should be used as a reference for your custom Office 365 deployment. You will need to select which records apply to your organization and fill in the appropriate values.

Often the SPF and MX records are the hardest to figure out. We’ve updated our SPF records guidance at the end of this article. The important thing to remember is that you can only have a single SPF record for your domain. You can have multiple MX records; however, that often is what causes problems for mail delivery. Having a single MX record that directs email to one mail system removes many of those potential problems.

The sections below are organized by service in Office 365. If you want to see a customized list of DNS records for your Office 365 organization, check out the article Gather the information you need to create Office 365 DNS records.

Every Office 365 customer needs to add two records to their external DNS. The first CNAME ensures Office 365 can direct workstations to the appropriate identity platform. The second record that is required is a record to prove you own your domain name.

 

DNS record

Purpose

Value to use

CNAME

(Suite)

Used by Office 365 to direct authentication to the correct identity platform More Information

Alias: msoid

Target: clientconfig.microsoftonline-p.net

TXT

(Domain verification)

Used by Office 365 to verify only that you own your domain. It doesn’t affect anything else.

Host: @ (or, for some DNS hosting providers, your domain name)

TXT Value: A text string provided by Office 365

The Office 365 Add a domain wizard provides the values that you use to create this record.

Exchange Online requires several different records, the three primary records that all customers should use are the Autodiscover, MX, & SPF records.

Autodiscover allows client computers to automatically find Exchange Online and configure the client properly. The MX record tells other mail systems where to send email for your domain. The SPF record is used by recipient email systems to validate the server sending your email is one that you approve. See the bottom of this article for help understanding what to put in your SPF record.

Exchange Online customers who are using Exchange Federation will also have an additional CNAME and TXT record listed at the bottom of the table.

 

DNS record

Purpose

Value to use

CNAME

(Exchange Online)

Helps Outlook clients to easily connect to the Exchange Online service by using the Autodiscover service. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for users.

Alias: Autodiscover

Target: autodiscover.outlook.com

MX

(Exchange Online)

Sends incoming mail for your domain to the Exchange Online service in Office 365.

NoteNote:
Once email is flowing to Exchange Online, you should remove the MX records that are pointing to your old system.

Domain: For example, contoso.com

Target email server: <MX token>.mail.protection.outlook.com

Preference/Priority: lower than any other MX records (this ensures mail is delivered to Exchange Online) - for example 1 or 'low'

Find your <MX token> by following these steps:

  • Sign in to Exchange Online, go to Exchange Online admin > Domains.

  • In the Action column for your domain, choose Fix issues.

  • In the MX records section, choose What do I fix?

  • Follow the directions on this page to update your MX record.

What is MX priority?

SPF (TXT)

(Exchange Online)

Helps to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain.

SPF records

TXT

(Exchange federation)

Used for Exchange federation for hybrid deployment.

TXT record 1: For example, contoso.com and associated custom-generated, domain-proof hash text (for example, Y96nu89138789315669824)

TXT record 2: For example, exchangedelegation.contoso.com and associated custom-generated, domain-proof hash text (for example, Y3259071352452626169)

CNAME

(Exchange federation)

Helps Outlook clients to easily connect to the UNRESOLVED_TOKEN_VAL(ExchOnline) service by using the Autodiscover service when your company is using Exchange federation. Autodiscover automatically finds the correct Exchange Server host and configures Outlook for your users.

Alias: For example, Autodiscover.service.contoso.com

Target: autodiscover.outlook.com

Check out Set up your network for Lync Online for more information on getting your network configured to work with Lync Online.

 

DNS record

Purpose

Value to use

SRV

(Lync Online)

Allows your Office 365 domain to share instant messaging (IM) features with clients other than Skype by enabling SIP federation.

Service: _sipfederationtls

Protocol: _TCP

Priority: 100

Weight: 1

Port: 5061

Target: Sipfed.online.lync.com

NoteNote:
If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record.

SRV

(Lync Online)

Used by Lync Online to coordinate the flow of information between Lync clients.

Service: _sip

Protocol: _TLS

Priority: 100

Weight: 1

Port: 443

Target: sipdir.online.lync.com

CNAME

(Lync Online)

Used by the Lync client to help find the Lync Online service and sign in.

Alias: sip

Target: sipdir.online.lync.com

For more information, see Ensuring Your Network Works With Lync Online.

CNAME

(Lync Online)

Used by the Lync mobile client to help find the Lync Online service and sign in.

Alias: lyncdiscover

Target: webdir.online.lync.com

SharePoint Online only requires a DNS record if SharePoint Online is sending email to external recipients. If this is the case, an SPF record may be required to ensure mail delivery. See SPF records at the end of this article.

 

DNS record

Purpose

Value to use

Host (A)

Used for single sign-on (SSO). It provides the endpoint for your off-premises users (and on-premises users, if you like) to connect to your Active Directory Federation Services (AD FS) federation server proxies or load-balanced virtual IP (VIP).

Target: For example, sts.contoso.com

Remember, you can only have one SPF record for your domain. That single SPF record can have a few different inclusions (up to 10). Use the chart below to help you build the right SPF record for your environment. Choose one from below.

SPF records help to prevent other people from using your domain to send spam or other malicious email. Sender policy framework (SPF) records work by identifying the servers that are authorized to send email from your domain.

NoteNote:
If the firewall or proxy server blocks TXT lookups on an external DNS, you should also add this record to the internal DNS record.

All SPF records contain three parts, the declaration that it is an SPF record, the domains & IP addresses that should be sending email, and an enforcement rule. You need all three to have a valid SPF record. Here’s an example of the most common SPF record for Office 365:

TXT Name @ 
Values: v=spf1 include:spf.protection.outlook.com include:sharepointonline.com -all

When you add this record to your DNS records, an email system that receives an email from your domain will look at this SPF record and if the email server that sent the message was an Office 365 server, they would accept the message. If it was your old mail system or a malicious system on the internet, they would consider this email un-safe.

If you have a more intricate scenario, use this table to determine what should be included in the value of the record:

 

 

If you’re…

Purpose

Add these includes

1

Any email system (required)

All SPF records start with this value

V=spf1

2

Exchange Online (common)

Use if you’re using Exchange Online

include:spf.protection.outlook.com

3

SharePoint Online (common)

Use if you’re using SharePoint Online

include:sharepointonline.com

4

A third party email system (less common)

 

include:<email system>

5

On-premises mail system (less common)

Use if you’re using Exchange Online Protection or Exchange Online plus another mail system

ipv4:<0.0.0.0>

- OR -

include:<mail.contoso.com>

The value for <0.0.0.0> or <mail.contoso.com> should be your other mail system that will send email for your domain.

6

Any email system (required)

-all

For example, if you are using the full Office 365 suite and are using MailChimp to send marketing emails on your behalf your SPF record at contoso.com might look like the following which uses row 1, 2, 3, 4, & 6 (remember row 1 & 6 are required):

TXT Name @ 
Values: v=spf1 include:spf.protection.outlook.com include:sharepointonline.com include:servers.mcsv.net -all

Alternatively, if you had an Exchange Hybrid configuration where email was being sent from both Office 365 and your on-premises mail system, your SPF record at contoso.com might look like this:

TXT Name @ 
Values: v=spf1 include:spf.protection.outlook.com include:sharepointonline.com include:mail.contoso.com -all

For more information on SenderID, we provide a comprehensive guide on SenderID and SPF records.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft