Microsoft 365 and Cloudflare: Email DNS Setup Checklist
Check Microsoft 365 email DNS in Cloudflare, including MX, SPF, DKIM, and DMARC records for a custom domain.
Microsoft 365 custom domain setup often involves a registrar, Cloudflare, and the Microsoft admin center. The records only work when they are published at the active DNS host.
If Cloudflare nameservers are active, use Cloudflare as the source of truth for Microsoft 365 MX, SPF, DKIM, and DMARC records.
Confirm Cloudflare is authoritative
Check nameservers before copying records. If the domain points to Cloudflare nameservers, changes at the registrar's DNS editor usually will not affect public DNS.
This is the fastest way to avoid a setup loop where Microsoft keeps asking you to add a record you already added somewhere else.
Check Microsoft 365 MX
Microsoft 365 uses an MX target that is specific to your tenant and domain. Old MX records from Google, Zoho, cPanel, or a web host can prevent mail from routing correctly.
During a migration, be careful with timing, but for a normal completed setup the domain should route inbound mail to the intended Microsoft 365 MX host.
Publish authentication records
For SPF, include Microsoft 365 in the one root-domain SPF TXT record. Do not publish a second separate SPF record if one already exists.
Microsoft 365 DKIM usually uses selector CNAME records. DMARC still belongs at _dmarc and should be introduced cautiously if you are not sure all legitimate senders are covered.
Quick checklist
- Confirm Cloudflare nameservers are active.
- Publish the Microsoft 365 MX record in Cloudflare.
- Keep one SPF record that includes Microsoft 365.
- Add Microsoft 365 DKIM selector CNAME records when available.
- Publish DMARC at _dmarc with a safe starter policy if needed.