When you first create a Microsoft 365 account, Microsoft assigns a default domain in the format yourorganisation.onmicrosoft.com. While functional, this address looks unprofessional in email signatures and shared links. Setting up a custom domain — one that matches your business name — is one of the first administrative tasks every organisation should complete.

This guide walks through every step required to connect your domain to Microsoft 365, from adding it in the admin portal to configuring the DNS records that make email delivery and Teams calling work correctly.

Before starting, confirm that you have admin access to both your Microsoft 365 tenant (Global Administrator role) and your domain registrar account, where DNS records are managed.

Step 1: Add the Domain in the Microsoft 365 Admin Centre

Begin by navigating to the Microsoft 365 Admin Centre at admin.microsoft.com. Sign in with your Global Administrator account. From the left-hand navigation panel, expand the Settings section and select Domains.

  1. On the Domains page, select Add domain in the top-right area of the screen.
  2. Type your domain name in the field provided — for example, contoso.com — and select Use this domain.
  3. Microsoft will ask how you want to verify that you own the domain. The recommended method is adding a TXT record to your DNS configuration.

Step 2: Verify Domain Ownership via DNS TXT Record

Microsoft will display a TXT record with a unique verification value. You need to add this record to your domain's DNS configuration through your registrar. Common registrars include GoDaddy, Namecheap, Cloudflare, and Google Domains — each has a slightly different interface, but the process is consistent.

  1. Log in to your domain registrar's DNS management panel.
  2. Create a new TXT record. The host or name field should be set to @ (representing the root domain). Paste the verification value Microsoft provided into the value or content field.
  3. Set the TTL to the default, usually 3600 seconds or one hour.
  4. Save the record and return to the Microsoft 365 Admin Centre.
  5. Select Verify. DNS propagation can take a few minutes to up to 48 hours, though most registrars complete this in under 30 minutes.

Do not delete the TXT verification record after setup. Microsoft uses it on an ongoing basis to confirm domain ownership. Removing it can trigger re-verification prompts and service disruptions.

Step 3: Configure DNS Records for Microsoft 365 Services

After verification, Microsoft will display a list of DNS records required to activate email, Teams, and other services. Depending on how your registrar handles DNS, Microsoft may offer to configure these automatically (available for select registrars via the Admin Centre) or you will need to add them manually.

MX Record — Email Routing

The MX record directs incoming email to Microsoft's Exchange Online servers. Add a single MX record with the value provided by Microsoft, which follows the format yourorganisation-com.mail.protection.outlook.com. The priority should be 0 (highest priority). If you have existing MX records pointing elsewhere, remove them to prevent email delivery failures.

CNAME Records

Microsoft requires several CNAME records for services including Autodiscover (for Outlook client configuration), Teams, Exchange ActiveSync, and mobile device management. Each record has a specific host name and destination value shown in the Admin Centre. Add all of them.

SPF TXT Record — Email Authentication

The Sender Policy Framework record tells receiving mail servers which hosts are authorised to send email on behalf of your domain. The value Microsoft requires is:

v=spf1 include:spf.protection.outlook.com -all

If you send email from other services — marketing platforms, CRMs, help desks — you will need to include their authorised senders in this record as well. A domain can have only one SPF record.

SRV Records — Teams and Skype for Business

Two SRV records enable Teams voice and federation features. These have specific service, protocol, priority, weight, port, and target values that Microsoft specifies exactly. Enter them precisely as shown.

Step 4: Enable DKIM Signing

DomainKeys Identified Mail adds a cryptographic signature to outgoing emails, allowing recipients to verify that messages were not modified in transit. Enabling DKIM for your custom domain in Microsoft 365 requires adding two CNAME records and then activating signing in the Defender for Microsoft 365 portal.

  1. In the Microsoft 365 Defender portal, navigate to Email and Collaboration, then Policies and Rules, then Threat Policies, and then DKIM.
  2. Select your domain and toggle DKIM signatures to enabled.
  3. If DKIM is not yet configured, the portal will display two CNAME records. Add these to your DNS, wait for propagation, and then return to enable signing.

Step 5: Set Up DMARC

Domain-based Message Authentication, Reporting, and Conformance builds on SPF and DKIM to give domain owners policy control over what happens to emails that fail authentication. While not required for Microsoft 365 to function, DMARC is strongly recommended for any domain sending business email.

Add a TXT record with the host _dmarc and a value that specifies your policy. A starting policy that monitors without rejecting is:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Once you have reviewed the aggregate reports and confirmed your SPF and DKIM configurations are correct, tighten the policy to p=quarantine and eventually p=reject.

Step 6: Set the Custom Domain as Primary

By default, new user accounts may still be assigned the onmicrosoft.com address. To ensure all new users receive an address at your custom domain, return to the Domains section of the Admin Centre, select your custom domain, and choose Set as default.

For existing users who were created under the onmicrosoft.com domain, you can update their primary email address by navigating to Users, then Active Users, selecting each user, and editing the username and email settings to use the new domain.

Propagation complete: once all DNS records are in place and services are active, your users can start sending and receiving email at their custom domain addresses immediately.

Troubleshooting Common Issues

  • Verification keeps failing — DNS changes can take time. Wait 30 minutes and try again. Use a tool like MXToolbox to confirm the TXT record is visible publicly.
  • Email delivery failing after cutover — Confirm the old MX records have been removed. Multiple MX records pointing to different servers cause inconsistent delivery.
  • Outlook clients not connecting automatically — Autodiscover CNAME may not have propagated yet. Allow up to 24 hours and retest.
  • DKIM signature failure — Ensure both CNAME records for DKIM are published and have propagated before enabling signing in the Defender portal.