Skip to main content

HostBible: Set up Microsoft 365 (M365) DNS records

Microsoft 365 / Office 365 email setup in cPanel

C
Written by Christopher Handscomb
Updated over 3 months ago

What you’ll achieve

You’ll add the correct Microsoft 365 DNS records (verification TXT, MX, SPF, Autodiscover CNAME, DKIM CNAMEs, and optional Intune/SRV records) inside cPanel’s Zone Editor so mail and Outlook/Teams services work with your domain. You’ll then verify everything in the Microsoft 365 admin center. cPanel & WHM DocumentationMicrosoft Learn

Before you start

  • You must have:
    – cPanel access for the domain’s active DNS zone (i.e., the domain is using nameservers that your cPanel manages).
    – Microsoft 365 Global/Domain Admin access to view your tenant‑specific DNS values. Get them in Microsoft 365 admin center → Settings → Domains → your domain. Microsoft Learn

  • DNS changes typically register within ~15 minutes, but some can take longer to propagate; Intune and DKIM checks can take hours to a couple of days to be detected. Microsoft Learn+2Microsoft Learn+2

Step 1 — Collect your Microsoft 365 DNS values

In the Microsoft 365 admin center, open Settings → Domains → your domain and copy the required records shown there (TXT for verification, MX, SPF TXT, CNAMEs, SRV where applicable). You’ll paste these values into cPanel. Microsoft Learn

Tip: Microsoft provides the exact, tenant‑specific MX host (e.g., XXXXXX.mail.protection.outlook.com) and will show if you also need optional records (Intune CNAMEs, SRV for federation, etc.). It also notes that Exchange Online MX TTL must be < 6 hours; a TTL of 3600 is commonly used. Microsoft Learn

Step 2 — Open cPanel’s Zone Editor

  1. Log in to cPanel.

  2. Go to Domains → Zone Editor.

  3. Click Manage next to your domain.

  4. Use + Add Record (or the arrow to pick TXT, MX, CNAME, SRV, etc.).

    • cPanel automatically appends your domain to the Name you enter (so type just autodiscover, not autodiscover.example.com). cPanel & WHM Documentation

Step 3 — Add the required records

A) Domain verification TXT (one‑time)

  • Type: TXT

  • Name/Host: @ (or leave blank if your UI requires)

  • Value: MS=ms######## (exact string from Microsoft 365)

  • TTL: 3600
    After saving, return to the Microsoft 365 Domains page and Verify. (If it isn’t found yet, wait and try again.) Microsoft Learn

B) MX — Route mail to Exchange Online

  • Type: MX

  • Name/Host: @

  • Priority: Microsoft recommends the highest priority, typically 0

  • Destination/Points to: your tenant value like xxxxxx.mail.protection.outlook.com

  • TTL: 3600 (Exchange Online supports TTL < 6 hours)
    Remove any old MX records pointing to your previous mail host once you’re ready to go live. Microsoft Learn+1

C) SPF — Help prevent spoofing

  • Type: TXT

  • Name/Host: @

  • Value (common for Exchange Online only):
    v=spf1 include:spf.protection.outlook.com -all

  • TTL: 3600

You can have only one SPF TXT record per domain. If you already have one, merge the Microsoft include instead of creating a second SPF record. Microsoft also notes SPF lookups must stay under 10. Microsoft Learn

D) Autodiscover — Outlook profile auto‑configuration

  • Type: CNAME

  • Name/Host: autodiscover

  • Points to: autodiscover.outlook.com

  • TTL: 3600
    This enables Outlook/Exchange clients to find the right service automatically. Microsoft Learn

E) DKIM — Sign your outbound mail (recommended)

  1. In Microsoft Defender portal → Email authentication → DKIM, choose your custom domain and enable DKIM. If CNAMEs aren’t published yet, Microsoft will show you two CNAMEs to add (selectors selector1._domainkey and selector2._domainkey) with your tenant‑specific targets.

  2. In cPanel, add both CNAMEs exactly as shown.

    • Hostnames: selector1._domainkey and selector2._domainkey

    • Points to: the values shown in Defender (e.g., the new 2025 format selector1-contoso-com._domainkey.<tenant>.<char>-v1.dkim.mail.microsoft) or the older …._domainkey.<tenant>.onmicrosoft.com depending on your tenant.

  3. Wait for detection, then toggle Sign messages for this domain to Enabled. Detection can take minutes to a few days depending on DNS. Microsoft Learn

Why two DKIM CNAMEs? Microsoft keeps one selector active and the other for future key rotation — both must exist. Microsoft Learn

F) Optional: Intune CNAMEs for device enrollment (Windows)

If using Intune and you want auto‑discovery for enrollment:

  • Type: CNAME — Name: enterpriseenrollmentPoints to: enterpriseenrollment-s.manage.microsoft.com

  • Type: CNAME — Name: enterpriseregistrationPoints to: enterpriseregistration.windows.net

  • TTL: 3600
    (Microsoft notes these are optional, and changes can take up to 72 hours to propagate.) Microsoft Learn

G) Optional: SRV records for SIP federation (legacy/advanced scenarios)

Only if you specifically need SIP federation (Teams/Skype interoperability, certain hybrid scenarios):

  • Type: SRV — Service: _sipfederationtls Protocol: _tcp Priority: 100 Weight: 1 Port: 5061 Target: sipfed.online.lync.com
    Add only when required. Microsoft Learn

Step 4 — Common cPanel entry patterns (what to type)

  • Root (@) vs full name: For records at the root, use @. For subdomains (like autodiscover or selector1._domainkey), type only the label; cPanel appends the domain for you. cPanel & WHM Documentation

  • TTL: 3600 (1 hour) is a safe default for Microsoft 365 guidance; Microsoft notes Exchange Online MX requires TTL < 6 hours. Microsoft Learn

  • Conflicts: Do not publish duplicate SPF records; remove obsolete MX records after cutover; avoid having an autodiscover A record if you’re pointing the CNAME at Microsoft (keep the CNAME). Microsoft Learn

Step 5 — Verify and test

  1. Back in Microsoft 365 admin center → Settings → Domains, run the domain checker (“Fix issues”/“Check DNS”) until all records show OK. Microsoft Learn

  2. For mail flow, send a test from an external mailbox and confirm delivery.

  3. (Optional) CLI checks from your computer:

    • nslookup -type=mx yourdomain.com

    • nslookup -type=txt yourdomain.com (verify SPF/DKIM)

    • nslookup autodiscover.yourdomain.com (CNAME to Microsoft)

Propagation reminder: TXT/MX/CNAME changes often apply within ~15 minutes, but some providers cache longer. Intune/DKIM detection can take longer; Microsoft calls out up to 72 hours for some Intune checks, and DKIM detection can be “a few minutes to as many as 4 days,” depending on DNS. Microsoft Learn+2Microsoft Learn+2

(Recommended) Add DMARC once SPF + DKIM are in place

After SPF and DKIM, publish a DMARC TXT at _dmarc.yourdomain.com. Start with a monitoring policy and tighten over time as appropriate for your org. See Microsoft’s DMARC setup guidance. Microsoft Learn

Example (monitoring):
v=DMARC1; p=none; rua=mailto:[email protected]; adkim=s; aspf=s

Quick reference — Typical M365 records you’ll add in cPanel

Purpose

Type

Name/Host

Value / Points to

Priority / Port / Etc.

TTL

Verify domain

TXT

@

MS=ms######## (from M365)

3600

Mail routing

MX

@

<your‑tenant>.mail.protection.outlook.com

Priority: 0 (highest)

3600

SPF

TXT

@

v=spf1 include:spf.protection.outlook.com -all

3600

Autodiscover

CNAME

autodiscover

autodiscover.outlook.com

3600

DKIM selector 1

CNAME

selector1._domainkey

Use exact target shown in Defender (new format ends with .dkim.mail.microsoft)

3600

DKIM selector 2

CNAME

selector2._domainkey

Use exact target shown in Defender

3600

(Optional) Intune enroll

CNAME

enterpriseenrollment

enterpriseenrollment-s.manage.microsoft.com

3600

(Optional) Intune register

CNAME

enterpriseregistration

enterpriseregistration.windows.net

3600

(Optional) SIP federation

SRV

_sipfederationtls._tcp

sipfed.online.lync.com

Priority 100, Weight 1, Port 5061

3600

Microsoft Learn+3Microsoft Learn+3Microsoft Learn+3

Troubleshooting & best practices

  • Only one SPF: If you already have an SPF record, merge Microsoft’s include; don’t add a second SPF TXT. Keep total SPF DNS lookups ≤ 10. Microsoft Learn

  • Old MX removed: Once you switch, remove old MX records to avoid unpredictable routing. Microsoft Learn

  • Autodiscover works best with CNAME: Ensure autodiscover is a CNAME to Microsoft, not an A record to somewhere else. Microsoft Learn

  • Use cPanel’s Zone Editor correctly: Enter only the host label (cPanel appends the domain), pick the correct type, and save; edit/remove conflicting entries via Manage Zone. cPanel & WHM Documentation

Need a hand?

If you’re hosted with HostBible and unsure which nameservers your domain uses or where your DNS is managed, contact HostBible Support. We’ll confirm whether you should add these records in cPanel or at an external DNS provider (Cloudflare, registrar, etc.), and help you avoid downtime.

Sources

  • Microsoft: How to add and verify Microsoft 365 DNS records; MX priority/TTL guidance; SPF example. Microsoft Learn

  • Microsoft: Reference list of external DNS records (Autodiscover CNAME, MX, SPF; SIP federation SRV). Microsoft Learn

  • Microsoft Defender for Office 365: DKIM CNAME syntax and new 2025 format; detection timing. Microsoft Learn

  • Microsoft Intune: EnterpriseEnrollment/EnterpriseRegistration CNAMEs; 72‑hour propagation note. Microsoft Learn

  • cPanel Docs: Using Zone Editor to add/edit TXT, MX, CNAME, SRV; how cPanel appends the domain to the Name field. cPanel & WHM Documentation

  • Microsoft: DMARC setup overview. Microsoft Learn

Related Articles
DKIM & DMARC: what they are, and what you need to do
Set up your email client (Outlook, Apple Mail, iPhone/Android) for a HostBible cPanel mailbox
Use HostBible nameservers (ns1.hosted-server.net & ns2.hosted-server.net)
HostBible: Set up Google Workspace (formerly “G Suite”) email: create DNS records
HostBible: Set up an Email Account & Use Webmail (cPanel)
Did this answer your question?