Microsoft 365 DNS Setup — Complete Guide to MX, SPF, DKIM, DMARC & Autodiscover
Getting DNS right is the most critical step in any Microsoft 365 setup. Without the correct records, email will not deliver, Outlook will not connect automatically, and your messages will land in spam. This guide covers every DNS record Microsoft 365 requires — including step-by-step instructions for adding them in cPanel's Zone Editor, plus a full troubleshooting section for common DNS errors.
Need help setting this up?
If you'd rather not deal with the technical side, we can fully set up and manage your Microsoft 365 for you — including email, DNS, and ongoing support.
DNS Records Required for Microsoft 365
| Record | Type | Purpose |
|---|---|---|
| MX | MX | Routes inbound email to Microsoft 365 |
| SPF | TXT | Authorises Microsoft 365 to send email on behalf of your domain |
| DKIM (2 × CNAME) | CNAME | Cryptographically signs outgoing email to prevent spoofing |
| DMARC | TXT | Tells receiving servers what to do with email that fails SPF/DKIM |
| Autodiscover | CNAME | Allows Outlook and mobile apps to configure automatically |
| Domain verification | TXT | One-time record to prove ownership of the domain to Microsoft |
Step 1 — Domain Verification
Before Microsoft 365 will accept email for your domain, you must prove you own it.
- Sign in to admin.microsoft.com → Settings → Domains.
- Click Add domain and enter your domain name.
- Microsoft provides a TXT record to add to your DNS. It looks like:
Type: TXT Host / Name: @ (or your domain name) Value: MS=msXXXXXXXX - Add this TXT record in cPanel → Zone Editor → + TXT Record.
- Wait 5–15 minutes for DNS propagation, then return to the admin centre and click Verify.
Step 2 — MX Record (Email Routing)
The MX record directs all incoming email to Microsoft 365 mail servers.
- In the Microsoft 365 admin centre domain setup wizard, you will be given your MX record value. It takes this format:
Type: MX Host / Name: @ (root of domain) Value: yourdomain-co-uk.mail.protection.outlook.com Priority: 0 - In cPanel → Zone Editor, delete any existing MX records pointing to your hosting server, then add the new Microsoft 365 MX record.
- Set priority to 0 (highest priority).
Important: Once you change the MX record, email stops flowing to your cPanel/hosting mailboxes and routes to Microsoft 365 instead. Ensure all mailboxes are created in Microsoft 365 before switching.
Step 3 — SPF Record
SPF (Sender Policy Framework) tells receiving mail servers that Microsoft 365 is authorised to send email from your domain.
Type: TXT
Host / Name: @ (root of domain)
Value: v=spf1 include:spf.protection.outlook.com -allAdd this in cPanel → Zone Editor → + TXT Record.
If you send email from other services too (e.g. a CRM or mailing platform), add their include values before the -all. For example:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net -allWarning: Only one SPF record can exist per domain. If one already exists, edit it rather than adding a new one — multiple SPF records cause delivery failures.
Step 4 — DKIM
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing email. Recipients use it to verify the email genuinely came from your domain.
- Go to admin.exchange.microsoft.com → Mail flow → DKIM.
- Select your domain and click Enable.
- Microsoft generates two CNAME records. Add both to your DNS in cPanel → Zone Editor → + CNAME Record:
selector1._domainkey.yourdomain.co.uk → selector1-yourdomain-co-uk._domainkey.yourdomain.onmicrosoft.com selector2._domainkey.yourdomain.co.uk → selector2-yourdomain-co-uk._domainkey.yourdomain.onmicrosoft.com - Wait for DNS to propagate (up to 24 hours), then return to the DKIM page and click Enable again.
- The status will show as Enabled once DKIM signing is active.
Step 5 — DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving mail servers how to handle email that fails SPF or DKIM checks.
Start with monitoring mode
Type: TXT
Host / Name: _dmarc.yourdomain.co.uk
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.co.ukp=none means take no action — you receive reports but email is not blocked. Use this for the first 2–4 weeks to check all legitimate email sources are passing SPF and DKIM.
Move to enforcement
Once you are confident all legitimate email is passing, increase the policy:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.co.ukp=quarantine sends failing emails to the recipient's spam folder. When you are ready for full enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.co.ukp=reject causes receiving servers to refuse email that fails authentication outright — the strongest protection against spoofing.
Step 6 — Autodiscover CNAME
Autodiscover allows Outlook and mobile email apps to configure themselves automatically when a user enters their email address and password.
Type: CNAME
Host / Name: autodiscover.yourdomain.co.uk
Value: autodiscover.outlook.comWithout this record, users must enter server settings manually when setting up Outlook or mobile email clients.
Verifying Your DNS in the Admin Centre
- Go to admin.microsoft.com → Settings → Domains.
- Click your domain name.
- The DNS records tab shows the status of every required record — green ticks indicate all is correct.
- If any record shows a warning, click it for details on what is wrong.
DNS Propagation
DNS changes are not instant — they spread across global DNS servers over time.
| Change Type | Typical Propagation Time |
|---|---|
| TXT records (SPF, DMARC, verification) | 5 minutes – 1 hour |
| CNAME records (DKIM, Autodiscover) | 15 minutes – 4 hours |
| MX records (email routing) | 1 hour – 48 hours |
Check propagation status using mxtoolbox.com — search for your domain's MX or TXT records to see what different DNS resolvers are returning globally.
Troubleshooting DNS Issues
Email still going to old hosting server after MX change
- MX records can take up to 48 hours to propagate. Check mxtoolbox.com to see if your new MX is visible globally.
- Confirm the old MX record pointing to your cPanel server has been deleted — duplicate MX records cause unpredictable routing.
DKIM enable button still greyed out after adding CNAME records
- DNS propagation may not be complete. Wait up to 24 hours and try again.
- Verify the CNAME records are correct: use mxtoolbox.com SuperTool → CNAME lookup for
selector1._domainkey.yourdomain.co.uk. - Check for a trailing full stop at the end of the CNAME value in cPanel — some DNS editors require it, some do not.
Emails going to spam despite SPF/DKIM being set
- Check DMARC is configured — without DMARC, some receiving servers still apply strict filtering.
- Confirm SPF only has one record and the syntax is valid: use mxtoolbox.com SPF checker.
- Check if your domain or sending IP is on any blocklists: mxtoolbox.com Blacklist Check.
Autodiscover not working — Outlook asking for server settings
- Confirm the CNAME record for
autodiscoverresolves toautodiscover.outlook.com. - In Outlook 2016+, hold Ctrl and right-click the Outlook icon in the system tray → Test Email AutoConfiguration to see exactly where it is looking.
- If the domain has an SRV record pointing to a different autodiscover server, it may override the CNAME. Remove it if it is no longer needed.
Microsoft 365 domain verification failing
- Ensure the TXT verification record has fully propagated before clicking Verify.
- Some DNS providers strip the
@symbol — try entering the full domain name instead. - Check for extra spaces in the record value.
Related Guides
- Getting Started with Microsoft 365
- Exchange Online — Email Flow, Forwarding & Troubleshooting
- Microsoft 365 Security — MFA, Passwords & Account Protection
- Managing Users in Microsoft 365
Prefer us to handle this?
We provide fully managed Microsoft 365 setup and support — so you can focus on running your business.
Need Help?
Need help setting this up? We can manage your Microsoft 365 for you — from setup to ongoing support.
