Microsoft Office 0365

admin



-->

If you purchased a domain from a third-party hosting provider, you can connect it to Microsoft 365 by updating the DNS records in your registrar’s account.

Training: Welcome to Microsoft 365. Watch this video and follow these 6 simple steps to get started.

  1. Collaborate for free with online versions of Microsoft Word, PowerPoint, Excel, and OneNote. Save documents, spreadsheets, and presentations online, in OneDrive.
  2. Microsoft 365 with Office apps Microsoft 365 Introducing Microsoft Viva, the new employee experience platform designed to help people connect, focus, learn, and thrive at work.
  3. On April 21, Office 365 became Microsoft 365. The name change is more than a little confusing, but the actual subscription packages remain the same. Here is a breakdown.
  4. Microsoft 365 is designed to help you achieve more with innovative Office apps, intelligent cloud services, and world-class security. Your productivity cloud across work and life Office 365 is now Microsoft 365. Learn what this means for you.

At the end of these steps, your domain will stay registered with the host that you purchased the domain from, but Microsoft 365 can use it for your email addresses (like user@yourdomain.com) and other services.

If you don't add a domain, people in your organization will use the onmicrosoft.com domain for their email addresses until you do. It's important to add your domain before you add users, so you don't have to set them up twice.

Check the Domains FAQ if you don't find what you're looking for below.

Step 1: Add a TXT or MX record to verify you own the domain

Recommended: Verify with a TXT record

Microsoft Office 0365Microsoft office 365 download

First, you need to prove you own the domain you want to add to Microsoft 365.

  1. Sign in to the Microsoft 365 admin center and select Show all > Settings > Domains.
  2. In a new browser tab or window, sign in to your DNS hosting provider, and then find where you manage your DNS settings (e.g., Zone File Settings, Manage Domains, Domain Manager, DNS Manager).
  3. Go to your provider's DNS Manager page, and add the TXT record indicated in the admin center to your domain.

Adding this record won't affect your existing email or other services and you can safely remove it once your domain is connected to Microsoft 365.

Example:

  • TXT Name: @
  • TXT Value: MS=ms######## (unique ID from the admin center)
  • TTL: 3600‎ (or your provider default)
  1. Save the record, go back to the admin center, and then select Verify. It typically takes around 15 minutes for record changes to register, but sometimes it can take longer. Give it some time and a few tries to pick up the change.

When Microsoft finds the correct TXT record, your domain is verified.

Verify with an MX record

If your registrar doesn't support adding TXT records, you can verify by adding an MX record.

  1. Sign in to the Microsoft 365 admin center and select Show all > Settings > Domains.
  2. In a new browser tab or window, sign in to your DNS hosting provider, and then find where you manage your DNS settings (e.g., Zone File Settings, Manage Domains, Domain Manager, DNS Manager).
  3. Go to your provider's DNS Manager page, and add the MX record indicated in the admin center to your domain.

This MX record's Priority must be the highest of all existing MX records for the domain. Otherwise, it can interfere with sending and receiving email. You should delete this records as soon as domain verification is complete.

Make sure that the fields are set to the following values:

  • Record Type: MX
  • Priority: Set to the highest value available, typically 0.
  • Host Name: @
  • Points to address: Copy the value from the admin center and paste it here.
  • TTL: 3600‎ (or your provider default)

When Microsoft finds the correct MX record, your domain is verified.

Step 2: Add DNS records to connect Microsoft services

In a new browser tab or window, sign in to your DNS hosting provider, and find where you manage your DNS settings (e.g., Zone File Settings, Manage Domains, Domain Manager, DNS Manager).

You'll be adding several different types of DNS records depending on the services you want to enable.

Add an MX record for email (Outlook, Exchange Online)

Before you begin: If users already have email with your domain (such as user@yourdomain.com), create their accounts in the admin center before you set up your MX records. That way, they’ll continue to receive email. When you update your domain's MX record, all new email for anyone who uses your domain will now come to Microsoft 365. Any email you already have will stay at your current email host, unless you decide to migrate email and contacts to Microsoft 365.

You'll get the information for the MX record from the admin center domain setup wizard.

On your hosting provider's website, add a new MX record.Make sure that the fields are set to the following values:

  • Record Type: MX
  • Priority: Set to the highest value available, typically 0.
  • Host Name: @
  • Points to address: Copy the value from the admin center and paste it here.
  • TTL: 3600‎ (or your provider default)

Save the record, and then remove any other MX records.

Add CNAME records to connect other services (Teams, Exchange Online, AAD, MDM)

You'll get the information for the CNAME records from the admin center domain setup wizard.

On your hosting provider's website, add CNAME records for each service that you want to connect.Make sure that the fields are set to the following values for each:

  • Record Type: CNAME (Alias)
  • Host: Paste the values you copy from the admin center here.
  • Points to address: Copy the value from the admin center and paste it here.
  • TTL: 3600‎ (or your provider default)

Add or edit an SPF TXT record to help prevent email spam (Outlook, Exchange Online)

Before you begin: If you already have an SPF record for your domain, don't create a new one for Microsoft 365. Instead, add the required Microsoft 365 values to the current record on your hosting providers website so that you have a single SPF record that includes both sets of values.

On your hosting provider's website, edit the existing SPF record or create an SPF record.Make sure that the fields are set to the following values:

  • Record Type: TXT (Text)
  • Host: @
  • TXT Value: v=spf1 include:spf.protection.outlook.com -all
  • TTL: 3600‎ (or your provider default)

Save the record.

Validate your SPF record by using one of these SPF validation tools

SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF cannot protect against. To protect against these, once you've set up SPF, you should also set up DKIM and DMARC for Microsoft 365.

To get started, see Use DKIM to validate outbound email sent from your domain in Microsoft 365 and Use DMARC to validate email in Microsoft 365.

Add SRV records for communications services (Teams, Skype for Business)

On your hosting provider's website, add SRV records for each service you want to connect.Make sure that the fields are set to the following values for each:

  • Record Type: SRV (Service)
  • Name: @
  • Target: Copy the value from the admin center and paste it here.
  • Protocol: Copy the value from the admin center and paste it here.
  • Service: Copy the value from the admin center and paste it here.
  • Priority: 100
  • Weight: 1
  • Port: Copy the value from the admin center and paste it here.
  • TTL: 3600‎ (or your provider default)

Save the record.

Installing microsoft office 365 personal

SRV record field restrictions and workarounds

Some hosting providers impose restrictions on field values within SRV records. Here are some common workarounds for these restrictions.

Name

If your hosting provider doesn't allow setting this field to @, leave it blank. Use this approach only when your hosting provider has separate fields for the Service and Protocol values. Otherwise, see the Service and Protocol notes below.

Service and Protocol

If your hosting provider doesn't provide these fields for SRV records, you must specify the Service and Protocol values in the record's Name field. (Note: Depending on your hosting provider, the Name field might be called something else, like: Host, Hostname, or Subdomain.) To add these values, you create a single string, separating the values with a dot.

Example: _sip._tls

Priority, Weight, and Port

If your hosting provider doesn't provide these fields for SRV records, you must specify them in the record's Target field. (Note: Depending on your hosting provider, the Target field might be called something else, like: Content, IP Address, or Target Host.)

Microsoft Office 365 Sign In

To add these values, create a single string, separating the values with spaces and sometimes ending with a dot (check with your provider if you are unsure). The values must be included in this order: Priority, Weight, Port, Target.

  • Example 1: 100 1 443 sipdir.online.lync.com.
  • Example 2: 100 1 443 sipdir.online.lync.com
-->

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Microsoft

This article describes how to update an Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) email authentication with your custom domain in Office 365.

Using SPF helps to validate outbound email sent from your custom domain. It's a first step in setting up other recommended email authentication methods DMARC and DKIM (two further email authentication methods supported in Office 365).

Prerequisites

Important

If you are a small business, or are unfamiliar with IP addresses or DNS configuration, call your Internet domain registrar (ex. GoDaddy, Bluehost, web.com) to ask for help with DNS configuration of SPF (and any other email authentication method). Also, if you haven't bought, or don't use a custom URL (in other words the URL you and your customers browse to reach Office 365 ends in onmicrosoft.com), SPF has been set up for you in the Office 365 service. No further steps are required in that case. Thanks for reading.

Before you create or update the SPF TXT record for Office 365 in external DNS, you need to gather some information needed to make the record. For advanced examples and a more detailed discussion about supported SPF syntax, see How SPF works to prevent spoofing and phishing in Office 365.

Gather this information:

Microsoft office 0365 install

  • The current SPF TXT record for your custom domain, if one exists. For instructions, see Gather the information you need to create Office 365 DNS records.

  • Go to your messaging server(s) and find out the External IP addresses (needed from all on-premises messaging servers). For example, 131.107.2.200.

  • Domain names to use for all third-party domains that you need to include in your SPF TXT record. Some bulk mail providers have set up subdomains to use for their customers. For example, the company MailChimp has set up servers.mcsv.net.

  • Figure out what enforcement rule you want to use for your SPF TXT record. The -all rule is recommended. For detailed information about other syntax options, see SPF TXT record syntax for Office 365.

Important

In order to use a custom domain, Office 365 requires that you add a Sender Policy Framework (SPF) TXT record to your DNS record to help prevent spoofing.

Create or update your SPF TXT record

  1. Ensure that you're familiar with the SPF syntax in the following table.
ElementIf you're using...Common for customers?Add this...
1Any email system (required)Common. All SPF TXT records start with this valuev=spf1
2Exchange OnlineCommoninclude:spf.protection.outlook.com
3Exchange Online dedicated onlyNot commonip4:23.103.224.0/19
ip4:206.191.224.0/19
ip4:40.103.0.0/16
include:spf.protection.outlook.com
4Office 365 Germany, Microsoft Cloud Germany onlyNot commoninclude:spf.protection.outlook.de
5Third-party email systemNot commoninclude:<domain_name>

<domain_name> is the domain of the third party email system.

6On-premises email system. For example, Exchange Online Protection plus another email systemNot commonUse one of these for each additional mail system:

ip4:<IP_address>
ip6:<IP_address>
include:<domain_name>

<IP_address> and <domain_name> are the IP address and domain of the other email system that sends mail on behalf of your domain.

7Any email system (required)Common. All SPF TXT records end with this value<enforcement rule>

This can be one of several values. We recommend the value -all.

  1. If you haven't already done so, form your SPF TXT record by using the syntax from the table.

    For example, if you are fully-hosted in Office 365, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 2, and 7 and would look like this:

    This is the most common SPF TXT record. This record works for just about everyone, regardless of whether your Microsoft datacenter is located in the United States, or in Europe (including Germany), or in another location.

    However, if you have purchased Office 365 Germany, part of Microsoft Cloud Germany, you should use the include statement from line 4 instead of line 2. For example, if you are fully-hosted in Office 365 Germany, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 4, and 7 and would look like this:

    If you're already deployed in Office 365 and have set up your SPF TXT records for your custom domain, and you're migrating to Office 365 Germany, you need to update your SPF TXT record. To do this, change include:spf.protection.outlook.com to include:spf.protection.outlook.de.

  2. Once you have formed your SPF TXT record, you need to update the record in DNS. You can only have one SPF TXT record for a domain. If an SPF TXT record exists, instead of adding a new record, you need to update the existing record. Go to Create DNS records for Office 365, and then click the link for your DNS host.

  3. Test your SPF TXT record.

How to handle subdomains?

It is important to note that you need to create a separate record for each subdomain as subdomains don't inherit the SPF record of their top level domain.

An additional wildcard SPF record (*.) is required for every domain and subdomain to prevent attackers from sending email claiming to be from non-existent subdomains. For example:

Troubleshooting SPF

Having trouble with your SPF TXT record? Read Troubleshooting: Best practices for SPF in Office 365.

What does SPF email authentication actually do?

SPF identifies which mail servers are allowed to send mail on your behalf. Basically, SPF, along with DKIM, DMARC, and other technologies supported by Office 365, help prevent spoofing and phishing. SPF is added as a TXT record that is used by DNS to identify which mail servers can send mail on behalf of your custom domain. Recipient mail systems refer to the SPF TXT record to determine whether a message from your custom domain comes from an authorized messaging server.

For example, let's say that your custom domain contoso.com uses Office 365. You add an SPF TXT record that lists the Office 365 messaging servers as legitimate mail servers for your domain. When the receiving messaging server gets a message from joe@contoso.com, the server looks up the SPF TXT record for contoso.com and finds out whether the message is valid. If the receiving server finds out that the message comes from a server other than the Office 365 messaging servers listed in the SPF record, the receiving mail server can choose to reject the message as spam.

Also, if your custom domain does not have an SPF TXT record, some receiving servers may reject the message outright. This is because the receiving server cannot validate that the message comes from an authorized messaging server.

If you've already set up mail for Office 365, then you have already included Microsoft's messaging servers in DNS as an SPF TXT record. However, there are some cases where you may need to update your SPF TXT record in DNS. For example:

  • Previously, you had to add a different SPF TXT record to your custom domain if you were using SharePoint Online. This is no longer required. This change should reduce the risk of SharePoint Online notification messages ending up in the Junk Email folder. Update your SPF TXT record if you are hitting the 10 lookup limit and receiving errors that say things like, 'exceeded the lookup limit' and 'too many hops'.

  • If you have a hybrid environment with Office 365 and Exchange on-premises.

  • You intend to set up DKIM and DMARC (recommended).

More information about SPF

For advanced examples, a more detailed discussion about supported SPF syntax, spoofing, troubleshooting, and how Office 365 supports SPF, see How SPF works to prevent spoofing and phishing in Office 365.

Microsoft Office 365 Email

Links to configure DKIM and DMARC

SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF can't protect against. To defend against these, once you've set up SPF, you should configure DKIM and DMARC for Office 365.

DKIM email authentication's goal is to prove the contents of the mail haven't been tampered with.

DMARC email authentication's goal is to make sure that SPF and DKIM information matches the From address.