Microsoft 365 DNS records - what do they do?

When using Microsoft 365, several services only work if the right DNS records are in place. Here are the most important ones.

CNAME records

  • enterpriseenrollment → For Intune/Entra: helps computers and mobiles with automatic enrolment.
  • enterprise registration → For Azure AD/Entra: registers devices and ensures single sign-on (SSO).
  • lyncdiscover & sip → For Teams/Skype for Business: finds the right servers and handles login via SIP.

MX record

  • Sends all incoming mail to Microsoft 365 Exchange Online, so mails are protected from spam and delivered correctly. The MX record points to *.mail.protection.outlook.com so it can find the correct mail server.

TXT records

  • Confirms that you own the domain and SPF helps with security so emails from your domain are not abused and without SPF, emails sent via SMTP may be marked as spam or rejected.

SRV records

  • _sip._tls → Ensures secure connection to Teams/Skype for Business via TLS.
  • _sipfederationtls._tcp → Enables communication with other organisations' Teams/Skype systems (federation).

Most of these records are managed automatically, but it's good to understand what they mean if you want full insight into how the system works.

What about SMTP for sending emails?

SMTP is used to send mail from your account to a server. DNS records do not enable SMTP, but MX and SPF records help the recipient validate and accept the mail without marking it as spam.

When talking about email security, there are two other things to consider.

DKIM (DomainKeys Identified Mail)

  • DKIM uses a cryptographic signature that is added to all outgoing emails.
  • The recipient's server can verify that the email really comes from your domain and has not been modified along the way.
  • DKIM requires TXT/CNAME records in DNS that contain the public key.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

  • DMARC builds on top of SPF and DKIM.
  • It tells the recipient's server what to do if an email fails SPF or DKIM checks (e.g. reject or mark as spam).
  • DMARC is configured as a TXT record in DNS.
  • It also provides reports so you can see if someone is trying to send fake emails from your domain.