If we want to use cloud services it is necessary to understand how DNS works. In this specific article I want to write about DNS records which are needed for the mail flow with Exchange online.

Note: I focus in this article the way by using EOP, there are also other solutions we could go with, specially using a hybrid Exchange environment.



MX records (mail exchanger records) are type of certified and verified resource records in the DNS (Domain Name System) that specifies a mail server (like Exchange or Exchange online) responsible for accepting email messages on behalf of a recipient’s domain, and a preference value used to prioritize mail delivery if multiple mail servers are available. The set of MX records of a domain name specifies how email should be routed with SMTP.

In the simplest case, a domain may have just one mail server. In our example we talk about Exchange online. Therefore, if we take a look up for a domain like fabrikam.net, possible result we will receive can be mail.fabrikam.net. We also see the priority of the received lookup results as example 10.

If we do this request by using PowerShell, it could look like this:

In our case we want to use Office 365 to receive all emails addressed to our domain (*@contoso.com) this because we want to use EOP. The records we have to set in our DNS should look like this:

Hostname: contoso-com.mail.protection.outlook.com
Priority: 0
TTL: 1 hour



SPF records (sender policy framework records) are in the end of the day just specially formatted TXT records in the public DNS. The job of SPF records is to make sure, that only the organizations that owns the specific domain is actually sending emails from the domain.

Email spam and phishing often use forged “from” addresses, so publishing and checking SPF records can be considered anti-spam techniques.

Below you can see a schematic view how that works:

The SPF record for an organization’s domain that uses Office 365 to send all their mail should look like the following example:

v=spf1 include:spf.protection.outlook.com -all


You can only have one SPF record per domain. Having multiple SPF records will invalidate all SPF records and cause mail flow problems. The SPF record configuration in the previous example tells the recipient email servers that email sent from Office 365’s IP addresses are authorized for the domain. Because most modern email servers look up at domain’s SPF record before they accept any email from it, it’s important to set up a valid SPF record in DNS when you first set up mail flow.

To check SPF records manually, there are a bulk of free online tools, one of them you can find HERE.



As you can see, the DNS settings for the mail flow over Office 365 are not a rocket scene. If you have already other MX-records configured and you plan to change to the Office 365 services, I can recommend you to set the TTL in time to a lower value. If you do this few days before the migration, it will decrease the time you have to wait for till the new settings will be working.

The settings for the mail flow is just one of the possible settings we can change to use Microsoft services.  If you login to your Office 365 portal, navigate to the Admin portal > Setup > Domains you can see all available domains in your account. (If you want to know how to add new domains to Office 365 by PowerShell, I can recommend you the article HERE on my blog.) If you click here now on one of your domains, you will see a table with all DNS settings you need for the Microsoft services.

I hope this article helped you with DNS messaging understanding. By questions I can recommend you my Telegram channel which you can find HERE.