To get started you will need to browser windows open: Microsoft Admin Center and your domain DNS.
When setting up your domain to use Microsoft 365 you will need to verify that you are authorised to access the domain. To do this you will need to place a TXT record on your root domain. Firstly, Sign in to your Admin Center and navigate to Show All => Settings => Domains .
In a separate browser tab sign in to your web hosting account , then to access your DNS settings via Services => My Services => Select the hosting package you want to work on => then "Login to cPanel". Once in cPanel look for the "Zone Editor" under the DNS section.
Verification (TXT)
The first record that you will need to add is unique for your Microsoft account and will be in the format below
Subdomain |
Text |
(Leave this field empty.) |
MS=msXXXXXXXX Note This is an example. Use your specific Destination or Points to Address value here, from the table in Office 365. |
Mail Exchange (MX)
If you are ready for your emails to be routed to Microsoft, each domain provisioned onto Microsoft365 is allocated a unique MX record which will need to be added to your cPanel DNS ensuring that you overwrite the existing record.
At this point, within cPanel, you will also need to navigate to the "Email Routing" screen to switch your settings to "Remote". This will ensure that any email generated by your website are also routed to Microsoft. You can read more about email routing in cPanel here .
Subdomain |
Mail server |
Priority |
(Leave this field empty.) |
<domain-key>.mail.protection.outlook.com. This value MUST end with a period (.) Note Get your <domain-key> from your Office 365 portal account. |
0 For more information about priority, see What is MX priority? |
CNAME
To enable other services within your Microsoft365 account you will need to create their respective CNAME records to ensure correct functionality.
You only need to add the records for the services you wish to use, however we recommend to add them all which will allow you to turn the services on and off within the Microsoft portal as you need them
Subdomain |
Address |
Needed for |
autodiscover |
autodiscover.outlook.com. This value MUST end with a period (.) |
Email in Office 365 (Exchange Online) |
sip |
sipdir.online.lync.com. This value MUST end with a period (.) |
Teams / Skype for Business |
lyncdiscover |
webdir.online.lync.com. This value MUST end with a period (.) |
Teams / Skype for Business |
msoid |
clientconfig.microsoftonline-p.net. This value MUST end with a period (.) |
Office 365 (core services) |
enterpriseregistration |
enterpriseregistration.windows.net. This value MUST end with a period (.) |
Federation Service and DRS |
enterpriseenrollment |
enterpriseenrollment.manage.microsoft.com. This value MUST end with a period (.) |
Federation Service and DRS |
Sender Policy Framework (TXT)
To ensure correctly authenticate emails against your domain you will need to adjust your Sender Policy Framework to allow Microsoft to send emails on behalf of your domain.
Microsoft's default recommendation is to just allow their service with "v=spf1 include:spf.protection.outlook.com -all" however this could mean that any emails generate directly on your website e.g. contact form, sales invoices, etc. would not be correctly covered. We recommend adding "+a" which will allow any any service that has an A Record on your domain to send emails. Alternatively, if you are using a website proxy service like Cloudflare, you may wish to allow the webserver IP address directly with "+ip4:xxx.xxx.xxx.xxx" or "+ip6:xxxx:xxxx:xxxx:xxxx/64" where x is replaced by the actual value of your webserver.
Subdomain |
Text |
(Leave this field empty.) |
v=spf1 +a +include:spf.protection.outlook.com -all Note We recommend copying and pasting this entry, so that all of the spacing stays correct. |
Teams / Skype for Business (SRV)
Lastly, for Teams / Skype for Business you will need to add two SRV records
Service |
Proto |
Server |
Port |
Priority |
Weight |
SIP |
TLS |
sipdir.online.lync.com. This value MUST end with a period (.) |
443 |
100 |
1 |
_sipfederationtls |
TCP |
sipfed.online.lync.com. This value MUST end with a period (.) |
5061 |
100 |
1 |