u003Cstrongu003EWhat is a DNS Zone?u003C/strongu003E

u003Ca href=u0022https://www.wintive.com/tutorials/microsoft-365/what-is-a-dns-zone/u0022 target=u0022_blanku0022 rel=u0022noreferrer noopeneru0022u003EWhat is a DNS Zone?u003C/au003E

u003Cstrongu003EEnable Microsoft Search in Office 365u003C/strongu003E

u003Ca href=u0022https://www.wintive.com/tutorials/microsoft-365/how-to-enable-microsoft-search-in-office-365/u0022 target=u0022_blanku0022 rel=u0022noreferrer noopeneru0022u003EEnable Microsoft Search in Office 365u003C/au003E

u003Cstrongu003EOffice 365 Security u0026 Compliance Center: Activity Alertsu003C/strongu003E

u003Ca href=u0022https://www.wintive.com/tutorials/microsoft-365/office-365-security-compliance-center-activity-alerts/u0022 target=u0022_blanku0022 rel=u0022noreferrer noopeneru0022u003EOffice 365 Security u0026 Compliance Center: Activity Alertsu003C/au003E

u003Cstrongu003EHidden Features of Microsoft 365 E3 Licenseu003C/strongu003E

u003Ca href=u0022https://www.wintive.com/tutorials/microsoft-365/hidden-features-of-microsoft-365-e3-license/u0022 target=u0022_blanku0022 rel=u0022noreferrer noopeneru0022u003EHidden Features of Microsoft 365 E3 Licenseu003C/au003E

u003Cstrongu003ESet Up a Custom Domain in Office 365u003C/strongu003E

u003Ca href=u0022https://www.wintive.com/tutorials/microsoft-365/set-up-a-custom-domain-in-office-365/u0022 target=u0022_blanku0022 rel=u0022noreferrer noopeneru0022u003ESet Up a Custom Domain in Office 365u003C/au003E

Set up a custom domain in Office 365

Adding your company domain to Microsoft 365 is the first real configuration step after tenant creation — without it, every user is stuck at first.last@yourtenant.onmicrosoft.com, which looks amateur in client emails. The DNS changes are straightforward but the exact record set has evolved: in 2026, MX, Autodiscover, SPF, DKIM, and DMARC are the minimum viable setup for deliverability.

This guide walks through the full add-domain process with the current Entra ID admin flow, and the PowerShell equivalent for IaC-driven tenants.

The DNS records you’ll need

Record	Purpose	Required?
TXT verification	Proves you own the domain to Microsoft	Yes (one-time)
MX	Routes inbound mail to Exchange Online	Yes, if using Exchange
CNAME autodiscover	Lets Outlook auto-configure profiles	Yes, for Outlook
CNAME selector1, selector2	DKIM signing keys for outbound mail	Yes (deliverability)
TXT SPF	Lists who’s allowed to send as your domain	Yes (deliverability)
TXT DMARC	Policy for SPF/DKIM failures	Yes as of Feb 2024 for bulk senders (Google/Yahoo)
CNAME sip, lyncdiscover	Skype for Business / Teams federation	Only if using SfB federation
SRV sip, sipfederationtls	Teams federation	Optional (Teams works without)

Step 1 — Add the domain in Entra ID

Portal: admin.microsoft.com → Settings → Domains → Add domain → enter contoso.com. Microsoft returns a TXT record you add to your public DNS zone to verify ownership.

PowerShell equivalent via the Microsoft Graph SDK:

Connect-MgGraph -Scopes "Domain.ReadWrite.All"

# Add the domain (Entra ID returns a verification TXT record)
$domain = New-MgDomain -Id "contoso.com"

# Get the verification record to add to your public DNS
Get-MgDomainVerificationDnsRecord -DomainId "contoso.com" |
    Select-Object RecordType, Label, Text, Ttl

# Once you've added the TXT record in your DNS, verify the domain
Confirm-MgDomain -DomainId "contoso.com"

Step 2 — Add the service DNS records

Once verified, Microsoft shows you the exact records for your domain. Here’s a typical complete zone:

# Inbound mail - route to Exchange Online
contoso.com.  MX  0  contoso-com.mail.protection.outlook.com.

# Outlook autodiscover
autodiscover.contoso.com.  CNAME  autodiscover.outlook.com.

# DKIM signing (tenant-specific selector values from the admin portal)
selector1._domainkey.contoso.com.  CNAME  selector1-contoso-com._domainkey.tenant.onmicrosoft.com.
selector2._domainkey.contoso.com.  CNAME  selector2-contoso-com._domainkey.tenant.onmicrosoft.com.

# SPF - lists authorized senders (adjust if you use other SaaS senders)
contoso.com.  TXT  "v=spf1 include:spf.protection.outlook.com -all"

# DMARC policy - REQUIRED since Feb 2024 for anyone sending to Google/Yahoo users
_dmarc.contoso.com.  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@contoso.com; pct=100"

Step 3 — Enable DKIM signing in Exchange Online

Publishing the DKIM CNAMEs is not enough — you must enable signing on the tenant side:

Connect-ExchangeOnline -UserPrincipalName admin@contoso.com

# Rotate DKIM keys (first run creates the 2048-bit key pair)
New-DkimSigningConfig -DomainName "contoso.com" -KeySize 2048 -Enabled $true

# Verify DKIM is signing
Get-DkimSigningConfig -Identity "contoso.com" |
    Select-Object Domain, Enabled, Selector1KeyStatus, Selector2KeyStatus

Step 4 — Verify deliverability end-to-end

# Send a test email to an external mailbox you control
Send-MailMessage -From "test@contoso.com" -To "you.personal@gmail.com" `
  -Subject "Deliverability test" -Body "Checking SPF/DKIM/DMARC" `
  -SmtpServer smtp.office365.com -Port 587 -UseSsl -Credential (Get-Credential)

# In Gmail, open the received message and click "Show original"
# You should see:
#   SPF: PASS with IP ...
#   DKIM: PASS with domain contoso.com
#   DMARC: PASS

# Or use the command line:
nslookup -type=TXT _dmarc.contoso.com
nslookup -type=CNAME selector1._domainkey.contoso.com

Wintive take: DMARC policy progression

DMARC has three enforcement levels. Progress through them over weeks, not all at once:

Week 1–4: p=none with rua reporting. Collects data without affecting delivery. Review reports.
Week 4–8: p=quarantine; pct=25 then 50, 75, 100. Quarantines only unauthorized mail.
Week 8+: p=reject. Only authorized senders deliver. The goal state.

Jumping straight to p=reject on day 1 without checking reports is how legitimate third-party senders (your CRM, HR tool, monitoring alerts) suddenly go undelivered. The reports from p=none tell you who else sends as your domain — include them in SPF before you enforce.

Conclusion

A properly configured custom domain takes about an hour: five minutes of admin-portal clicks, twenty minutes of DNS edits, thirty minutes of propagation. The DKIM + SPF + DMARC combination is not optional in 2026 — Google and Yahoo require it for any sender emailing more than a handful of their users, and spam folders are where DMARC-less domains end up.

🛡️ Free: M365 Tenant Security Audit Checklist

17-page PDF with 50 hands-on checks covering Entra ID, Exchange Online, SharePoint, Teams, Intune, license waste, and audit logging. PowerShell commands included. Built from 60+ real tenant audits at Wintive.

📥 Download the free checklist →

Verify DNS Records for Your Custom Domain

After adding your domain in the Microsoft 365 admin center, you must add the required DNS records at your domain registrar. Microsoft requires these key records: a TXT record to verify domain ownership, an MX record to route email to Exchange Online, a CNAME for Autodiscover to configure Outlook automatically, and SPF and DKIM records for email authentication. Microsoft validates each record and shows a green checkmark when the configuration is correct.

Add Multiple Domains to Microsoft 365

Organizations with multiple brand names or subsidiaries can add several custom domains to a single Microsoft 365 tenant. Each domain requires its own DNS verification and MX record. Users across all domains share the same Microsoft 365 tenant, apps, and licenses. To set the primary domain for a user, go to Users → select the user → edit their email address. For more advanced domain configuration with Exchange, see our Exchange Online administration guide.

After your domain is verified and email is flowing, enable DKIM signing for your domain from the Microsoft Defender portal → Email & collaboration → Policies & rules → Threat policies → DKIM. This cryptographically signs outbound email and protects your domain reputation. For full email authentication coverage, also configure a DMARC record in your DNS. See our guide on Office 365 email security.