Skip to main content

Why DNS records matter

Before a domain can send email through Microsoft 365, receiving mail servers need to be able to verify that the email is legitimate. DNS records are how that verification works. Missing or misconfigured records cause authentication failures, which cause spam routing or outright rejection. TenantCore generates all required DNS records for each domain you attach to a tenant. Your job is to add them to your registrar and wait for propagation.

The records TenantCore generates

TenantCore generates two categories of records: mail records that directly affect sending and deliverability, and Microsoft 365 service records that complete the domain’s configuration within the Microsoft ecosystem. Both sets should be added.

Mail records

These records directly affect your ability to send and receive email and how receiving servers authenticate your messages.

MX (Mail Exchanger)

The MX record tells other mail servers where to deliver inbound email for your domain. 
Type:     MX
Name:     @
Value:    yourdomain-com.mail.protection.outlook.com
Priority: 0
Without a valid MX record, your domain cannot receive email. Microsoft also uses MX record presence as a signal that the domain is legitimately configured for mail.

SPF (Sender Policy Framework)

SPF is a TXT record that lists which mail servers are authorized to send email on behalf of your domain. Receiving servers check the SPF record to confirm the sending server is on the approved list. 
Type:  TXT
Name:  @
Value: v=spf1 include:spf.protection.outlook.com -all
The -all at the end means “reject mail from any server not listed here.” This is the correct setting for cold email domains it tells receiving servers you have explicitly defined who can send on your behalf.
Only one SPF record is allowed per domain. If you already have an SPF record, add include:spf.protection.outlook.com to it rather than creating a second record.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outbound messages. The signature is generated using a private key held by Microsoft and verified using a public key published in your DNS. TenantCore generates two CNAME records for DKIM: 
Type:  CNAME
Name:  selector1._domainkey
Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Type:  CNAME
Name:  selector2._domainkey
Value: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Microsoft rotates between the two selectors automatically. Both records must be present. After adding the CNAME records, DKIM signing must be enabled in the Microsoft 365 admin center or via Exchange Online PowerShell. TenantCore handles this automatically when you attach a domain.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receiving servers what to do when a message fails SPF or DKIM authentication. It also enables reporting so you can monitor who is sending email from your domain. 
Type:  TXT
Name:  _dmarc
Value: v=DMARC1; p=quarantine; pct=100; adkim=s; aspf=s;
Policy options:
  • p=none — monitor only, no action taken on failures
  • p=quarantine — failed messages go to spam
  • p=reject — failed messages are rejected outright
For cold email domains, p=quarantine is a reasonable starting point. It protects against spoofing without being aggressive enough to cause problems during the initial DNS propagation window.

Microsoft 365 service records

These records do not affect email sending or deliverability. They complete the domain’s setup within the Microsoft 365 ecosystem, covering device management, client autodiscovery, and domain verification. Microsoft generates them as part of the standard domain verification flow and they should be added alongside your mail records.

Domain verification

Type:  TXT
Name:  @
Value: MS=msXXXXXXXX
A one-time verification record Microsoft uses to confirm you own the domain. Unique to your tenant.

Autodiscover

Type:  CNAME
Name:  autodiscover
Value: autodiscover.outlook.com
Allows Outlook and other Microsoft mail clients to automatically detect the correct server settings for the domain.

Enterprise enrollment

Type:  CNAME
Name:  enterpriseenrollment
Value: enterpriseenrollment-s.manage.microsoft.com

Enterprise registration

Type:  CNAME
Name:  enterpriseregistration
Value: enterpriseregistration.windows.net
The enrollment and registration records support Microsoft Intune device management. They have no bearing on email but adding them means the domain is fully configured from Microsoft’s standpoint.

Adding records to your registrar

The process varies slightly by registrar but the general steps are the same:
  1. Log into your registrar’s DNS management panel
  2. Navigate to the DNS records for your domain
  3. Add each record using the values TenantCore generated
  4. Save and wait for propagation

Verifying your records

After propagation, verify your records are resolving correctly: DNS propagation is typically complete within 30 minutes for most registrars, but can take up to 48 hours. If records are not resolving after a few hours, confirm the values were entered correctly at your registrar.