Microsoft 365 and Cloudflare: Email DNS Setup Checklist
Set up Microsoft 365 email DNS in Cloudflare with a practical checklist for MX, SPF, DKIM, DMARC, autodiscover, domain verification, and common setup mistakes.
Setting up Microsoft 365 email with Cloudflare is mostly about putting the right DNS records in the right place.
The confusing part is that your domain registrar, DNS host, website host, and email provider may all be different companies. Microsoft 365 gives you the DNS values, but Cloudflare is where you publish them when Cloudflare is the active DNS host.
This guide explains how to set up and troubleshoot Microsoft 365 email DNS in Cloudflare, including MX, SPF, DKIM, DMARC, autodiscover, domain verification, and common mistakes that can break email while your website still works.
On this page
Quick answer: what records do you need?
A basic Microsoft 365 + Cloudflare email setup usually needs these records:
| Purpose | DNS record type | Cloudflare name/host | Value |
|---|---|---|---|
| Microsoft domain verification | TXT | Usually @ | Microsoft-provided MS=ms... value |
| Incoming email | MX | @ | Microsoft-provided <domain-key>.mail.protection.outlook.com |
| Outlook autodiscover | CNAME | autodiscover | autodiscover.outlook.com |
| SPF sending authorization | TXT | @ | v=spf1 include:spf.protection.outlook.com -all for Microsoft 365-only sending |
| DKIM signing | CNAME | selector1._domainkey | Microsoft-provided selector 1 target |
| DKIM signing | CNAME | selector2._domainkey | Microsoft-provided selector 2 target |
| DMARC policy | TXT | _dmarc | v=DMARC1; p=none; |
Important: Do not guess the Microsoft MX, verification, or DKIM values. Use the exact values shown in your Microsoft 365 admin center, Microsoft Defender portal, or Microsoft-provided instructions.
Before you start: confirm Cloudflare is the active DNS host
Before adding Microsoft 365 records, confirm where live DNS is managed.
Cloudflare only controls your live DNS if your domain's nameservers point to Cloudflare.
Example
You bought the domain at Namecheap. Then you changed the nameservers to Cloudflare. Then your website was connected to Vercel. Now you want Microsoft 365 email.
In this setup, the correct place to add MX, SPF, DKIM, DMARC, autodiscover, and verification records is Cloudflare, not Namecheap and not Vercel.
| Role | Provider |
|---|---|
| Domain registrar | Namecheap |
| DNS host | Cloudflare |
| Website host | Vercel |
| Email provider | Microsoft 365 |
A very common mistake is adding Microsoft 365 DNS records at the registrar while the active nameservers point to Cloudflare. The records look correct in the registrar, but Microsoft 365 and public DNS checks still cannot find them.
Do not change website records unless the website is the problem
Microsoft 365 email setup usually requires MX, TXT, and CNAME records.
Your website usually depends on A, AAAA, or CNAME records.
| Record type | Usually affects |
|---|---|
| A | Website |
| AAAA | Website |
| CNAME | Website, autodiscover, DKIM, or verification depending on host |
| MX | Incoming email |
| TXT | SPF, DMARC, domain verification |
| DKIM CNAME | Outgoing email authentication |
If your website is already working, do not delete or replace the website records while fixing email. A website can work perfectly while Microsoft 365 email is broken because website DNS and email DNS are separate.
Cloudflare proxy setting: what matters for Microsoft 365 email?
Cloudflare has an orange-cloud proxy setting for some DNS records. For email DNS, this is a common source of confusion.
MX and TXT records are DNS-only. You do not orange-cloud MX records, SPF TXT records, DMARC TXT records, or Microsoft verification TXT records.
For Microsoft 365 DKIM CNAME records, keep them DNS-only as well.
| Record | Cloudflare proxy setting |
|---|---|
| MX | DNS-only |
| TXT verification | DNS-only |
| TXT SPF | DNS-only |
| TXT DMARC | DNS-only |
CNAME selector1._domainkey | DNS-only |
CNAME selector2._domainkey | DNS-only |
CNAME autodiscover | DNS-only is safest |
| Website A/CNAME records | Can be proxied if they serve web traffic |
If a CNAME is used for Microsoft 365 email authentication or service discovery, do not proxy it unless Microsoft specifically instructs otherwise.
Step 1: Add and verify your domain in Microsoft 365
Before Microsoft 365 can fully use your custom domain, Microsoft needs to verify that you own it.
Microsoft usually asks you to add a TXT record. The value often looks like this:
MS=msXXXXXXXXDo not copy this example. Use the exact value shown in your Microsoft 365 admin center.
Add Microsoft verification TXT in Cloudflare
| Field | Value |
|---|---|
| Type | TXT |
| Name | @ |
| Content | Microsoft-provided MS=ms... value |
| TTL | Auto or Microsoft-recommended TTL |
Then return to Microsoft 365 admin center and verify the domain.
Common verification mistakes
| Mistake | Result |
|---|---|
| TXT record added at registrar instead of Cloudflare | Microsoft cannot find the record |
| Wrong Cloudflare zone selected | Record is not published for the correct domain |
| Name entered incorrectly | Record appears at the wrong hostname |
| Copied value from another domain | Verification fails |
| Hidden spaces or typo | Verification fails |
| Not enough propagation time | Verification may fail temporarily |
The verification TXT record proves ownership. It does not route email by itself.
Step 2: Create users and mailboxes before changing MX
Before routing email to Microsoft 365, make sure the recipients exist.
For example, if you want to receive email at:
hello@example.comthen hello@example.com must exist inside Microsoft 365 as one of these:
- A licensed user mailbox
- An alias
- A shared mailbox
- A Microsoft 365 group
- A distribution list
- Another configured recipient
MX records tell the internet where to deliver email. They do not create mailboxes. If you change MX records before creating users or aliases, new incoming mail may reach Microsoft 365 but still bounce because the recipient does not exist.
Basic pre-MX checklist
- The domain is added in Microsoft 365.
- The domain is verified.
- Users are created.
- Required mailboxes are licensed.
- Aliases are created.
- Shared mailboxes or groups are configured.
- You know which email provider should receive new mail after the switch.
Step 3: Add the Microsoft 365 MX record in Cloudflare
MX records control incoming mail.
If someone sends email to:
hello@example.comthe sender's mail server checks the MX record for:
example.comFor Microsoft 365, the MX target is domain-specific and is shown in your Microsoft 365 admin center. It usually has this structure:
<domain-key>.mail.protection.outlook.comExample only:
example-com.mail.protection.outlook.comDo not guess your exact value. Copy it from Microsoft 365.
Add Microsoft 365 MX in Cloudflare
| Field | Value |
|---|---|
| Type | MX |
| Name | @ |
| Mail server | Microsoft-provided <domain-key>.mail.protection.outlook.com |
| Priority | Use Microsoft's value, commonly 1 in Cloudflare setup instructions |
| TTL | Auto or Microsoft-recommended TTL |
If you use Microsoft 365 for receiving email, the active MX record should point to Microsoft. Old MX records from your previous email provider should usually be removed when you are ready to route mail to Microsoft.
Step 4: Remove old MX records from previous email providers
Old MX records are one of the most common causes of broken Microsoft 365 email.
Previous providers may include:
- Google Workspace
- Zoho Mail
- Proton Mail
- Fastmail
- Namecheap Private Email
- cPanel hosting email
- Old web host email
- Email forwarding services
If Microsoft 365 should receive email, old MX records can cause mail to route to the wrong provider.
Wrong mixed setup:
example.com MX example-com.mail.protection.outlook.com
example.com MX ASPMX.L.GOOGLE.COM
example.com MX mail.oldhost.comCleaner Microsoft 365 setup:
example.com MX example-com.mail.protection.outlook.comUse your real Microsoft-provided MX target, not the example.
During a migration, timing matters. Do not delete access to the old email provider until you are sure old mail has been migrated or retained as needed.
Step 5: Add the Outlook autodiscover CNAME
Autodiscover helps Outlook and Exchange clients find mailbox settings automatically.
For Microsoft 365, the common autodiscover CNAME is:
autodiscover.outlook.comAdd autodiscover in Cloudflare
| Field | Value |
|---|---|
| Type | CNAME |
| Name | autodiscover |
| Target | autodiscover.outlook.com |
| TTL | Auto |
| Proxy status | DNS-only |
Without autodiscover, email may still flow, but Outlook setup can become annoying or unreliable. Outlook may not add the mailbox automatically, mobile Outlook may ask for manual settings, or users may see repeated login prompts.
Autodiscover is not the same as MX. MX routes incoming mail. Autodiscover helps mail clients discover the service.
Step 6: Add SPF for Microsoft 365
SPF helps receiving mail systems check whether Microsoft 365 is allowed to send email for your domain.
If Microsoft 365 is your only sending service, the common SPF record is:
v=spf1 include:spf.protection.outlook.com -all| Field | Value |
|---|---|
| Type | TXT |
| Name | @ |
| Content | v=spf1 include:spf.protection.outlook.com -all |
| TTL | Auto or Microsoft-recommended TTL |
Only one SPF record should exist for a domain. Do not add a new SPF record if one already exists. Instead, merge Microsoft's include into the existing SPF record.
Avoid duplicate SPF records
This is wrong:
v=spf1 include:spf.protection.outlook.com -all
v=spf1 include:_spf.google.com ~allThat creates duplicate SPF records, which can cause SPF evaluation errors.
Correct merged example if both Microsoft 365 and Google genuinely send email for the same domain:
v=spf1 include:spf.protection.outlook.com include:_spf.google.com ~allOnly include Google if Google really still sends email for that domain. If you fully moved from Google Workspace to Microsoft 365, you may not need the Google include anymore.
SPF when you use Microsoft 365 plus other senders
Many businesses use Microsoft 365 for mailbox email, but also send email from other platforms.
Examples:
- Website contact forms
- CRMs
- Email marketing tools
- Ecommerce platforms
- Helpdesk systems
- Invoicing tools
- Booking systems
- Transactional email providers
- Cold email tools
- Support platforms
If those services send email using your domain, they may require SPF, DKIM, or both.
Practical SPF process:
- List every service that sends email from your domain.
- Start with Microsoft 365 SPF.
- Add only legitimate third-party sending services.
- Keep everything in one SPF record.
- Remove old providers you no longer use.
- Avoid
+all. - Watch the SPF DNS lookup limit if the record becomes long.
Example combined SPF:
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -allDo not copy this exact example unless that third-party sender is actually used by your domain.
Step 7: Set up DKIM for Microsoft 365 in Cloudflare
DKIM lets Microsoft 365 sign outgoing messages from your domain. This is important for email authentication, deliverability, and DMARC alignment.
For Microsoft 365 custom domains, DKIM uses two CNAME records:
selector1._domainkey
selector2._domainkeyThe targets are generated by Microsoft. They may look like Microsoft-managed DKIM hostnames, but you should not construct them manually.
Add Microsoft 365 DKIM CNAME records in Cloudflare
| Field | Record 1 | Record 2 |
|---|---|---|
| Type | CNAME | CNAME |
| Name | selector1._domainkey | selector2._domainkey |
| Target | Microsoft-provided selector 1 target | Microsoft-provided selector 2 target |
| TTL | Auto or 1 hour | Auto or 1 hour |
| Proxy status | DNS-only | DNS-only |
For Microsoft 365 DKIM: use CNAME records, not TXT records; add both selector records; keep both CNAMEs DNS-only in Cloudflare; and use the exact values from Microsoft Defender portal, Microsoft 365 instructions, or Exchange Online PowerShell.
Do not include the full domain in the Cloudflare Name field if Cloudflare already appends it.
Correct Cloudflare name:
selector1._domainkeyUsually wrong in Cloudflare:
selector1._domainkey.example.comThe second version can accidentally become selector1._domainkey.example.com.example.com depending on the DNS provider.
Where to get Microsoft 365 DKIM values
Get DKIM values from Microsoft, not from a generic blog post.
You can usually find them in:
- Microsoft Defender portal
- Email authentication settings
- DKIM tab
- Your custom domain details
- Publish CNAMEs section
Advanced users may also retrieve them through Exchange Online PowerShell.
The values are domain-specific and tenant-specific.
Microsoft DKIM targets can vary by tenant and current Microsoft infrastructure. Some older-looking examples may point toward an onmicrosoft.com hostname. Newer Microsoft-generated targets may use Microsoft DKIM infrastructure hostnames.
The rule is simple: Use the exact selector CNAME values Microsoft gives you for your domain.
Step 8: Enable DKIM signing in Microsoft 365
Adding the CNAME records in Cloudflare is not always the final step.
After DNS has propagated, go back to Microsoft and enable DKIM signing for the custom domain.
DKIM setup flow
- Add the custom domain in Microsoft 365.
- Confirm the domain is verified.
- Open DKIM settings in Microsoft Defender.
- Copy the selector 1 and selector 2 CNAME values.
- Add both CNAME records in Cloudflare.
- Keep both DNS-only.
- Wait for DNS propagation.
- Return to Microsoft Defender.
- Enable DKIM signing for the custom domain.
- Send a test email and inspect authentication results.
Common DKIM problems
| DKIM problem | What happens |
|---|---|
| Only selector1 added | DKIM rotation may fail later |
| Selector CNAME is proxied | DKIM verification can fail |
| TXT record used instead of CNAME | Microsoft 365 DKIM will not verify correctly |
| Target copied incorrectly | Microsoft shows CNAME missing |
| Hostname includes full domain twice | Record is published at the wrong name |
| DKIM not enabled after DNS setup | Messages may not be signed with your custom domain |
| DNS checked too soon | Microsoft may not detect the record yet |
Step 9: Add a basic DMARC record
DMARC tells receiving mail servers what to do when email claiming to be from your domain fails authentication checks.
A safe starting DMARC record is:
v=DMARC1; p=none;| Field | Value |
|---|---|
| Type | TXT |
| Name | _dmarc |
| Content | v=DMARC1; p=none; |
| TTL | Auto or 1 hour |
The full record becomes:
_dmarc.example.comDo not place the DMARC record at @.
When should Microsoft 365 domains use stricter DMARC?
DMARC has three common policy levels:
| Policy | Meaning | Practical use |
|---|---|---|
p=none | Monitor only | Best starting point |
p=quarantine | Treat failing mail as suspicious | After SPF/DKIM are working |
p=reject | Reject failing mail | Strongest policy, after testing |
A sensible rollout is:
p=none -> p=quarantine -> p=rejectDo not jump straight to p=reject if you are unsure about all legitimate senders.
This is especially important if your domain sends from Microsoft 365, website forms, CRM platforms, newsletter tools, ecommerce platforms, helpdesk tools, invoicing tools, booking systems, or transactional email services.
Step 10: Check optional Microsoft 365 service records
This guide focuses on email DNS.
Microsoft 365 may show additional DNS records for other services, such as Teams, Intune, Skype for Business, or mobile device management.
Examples may include additional CNAME records, SRV records, or service-specific DNS records.
Do not blindly add every optional record unless your organization uses that service.
For basic Microsoft 365 email, the most important records are usually:
- TXT verification
- MX
- SPF TXT
- Autodiscover CNAME
- DKIM CNAMEs
- DMARC TXT
If Microsoft 365 admin center shows additional required records for services you use, follow the exact values Microsoft provides.
Example Cloudflare DNS table for Microsoft 365 email
A clean basic Microsoft 365 email setup in Cloudflare may look like this:
| Type | Name | Content / target | Priority | Proxy |
|---|---|---|---|---|
| TXT | @ | MS=ms... Microsoft verification value | Not applicable | DNS-only |
| MX | @ | <domain-key>.mail.protection.outlook.com | Microsoft-provided, commonly 1 | DNS-only |
| CNAME | autodiscover | autodiscover.outlook.com | Not applicable | DNS-only |
| TXT | @ | v=spf1 include:spf.protection.outlook.com -all | Not applicable | DNS-only |
| CNAME | selector1._domainkey | Microsoft-provided DKIM selector 1 target | Not applicable | DNS-only |
| CNAME | selector2._domainkey | Microsoft-provided DKIM selector 2 target | Not applicable | DNS-only |
| TXT | _dmarc | v=DMARC1; p=none; | Not applicable | DNS-only |
Your Cloudflare DNS table may also contain website records such as A, AAAA, or CNAME records. That is normal.
Do not delete working website records just because they are not part of Microsoft 365 email.
Step 11: Test incoming email
After DNS changes, test receiving email. Send an email from an external mailbox to your Microsoft 365 address.
Example:
hello@example.comUse an outside sender, such as a personal Gmail, Outlook, Yahoo, or another external account.
Check:
- Does the message arrive?
- Does it bounce?
- Does it land in junk?
- Does the sender receive an error?
- Is only one address affected?
- Is the entire domain affected?
If only one address fails
- User mailbox exists
- Alias exists
- Shared mailbox exists
- Group exists
- License is active
- Recipient is not blocked
- Mail flow rules are not redirecting it
If the whole domain fails
- MX record
- Old MX records
- Microsoft domain verification
- Cloudflare active DNS status
- Whether DNS was changed in the wrong account
- Whether mailboxes were created before the MX switch
Step 12: Test outgoing email
Send an email from Microsoft 365 to an external mailbox.
Check:
- Does it arrive?
- Does it land in inbox or spam?
- Does SPF pass?
- Does DKIM pass?
- Does DMARC pass?
- Does the visible From domain match the domain being authenticated?
For a proper Microsoft 365 setup, outgoing mail should eventually pass SPF and DKIM, with DMARC passing through aligned SPF or aligned DKIM.
Troubleshooting: Microsoft says domain verification failed
If Microsoft cannot verify your domain, check:
- Is Cloudflare the active DNS host?
- Did you add the TXT record in the correct Cloudflare zone?
- Is the Name field correct?
- Did you copy the full
MS=ms...value? - Did you add extra spaces?
- Did you accidentally add the record to a subdomain?
- Has enough time passed for DNS propagation?
- Are you trying to verify the correct domain in Microsoft 365?
A verification TXT record in the wrong DNS provider will not work.
Troubleshooting: Microsoft says MX is missing
If Microsoft says MX is missing, check:
- Is Cloudflare the active DNS host?
- Did you add the MX record at
@? - Did you copy the Microsoft-provided
<domain-key>.mail.protection.outlook.comvalue? - Is the priority correct?
- Are old MX records still present?
- Did you add the record to the wrong domain?
- Has DNS propagation completed?
- Did you accidentally add the MX under a subdomain instead of the root?
A correct-looking MX record in the wrong DNS zone will still fail.
Troubleshooting: Microsoft 365 receives no email
If incoming mail does not arrive, check:
- MX points to Microsoft 365
- Old MX records are removed or lower priority only during a controlled migration
- Domain is verified in Microsoft 365
- Mailbox exists
- User has a license
- Alias exists if using an alias
- Shared mailbox or group is configured correctly
- Mail is not going to junk
- Sender is not receiving a bounce
- Cloudflare is the active DNS host
If the sender gets a bounce, read the bounce message carefully. It often says whether the problem is recipient not found, domain not found, or delivery rejected.
Troubleshooting: Outlook cannot connect automatically
If mail flows but Outlook setup is difficult, check autodiscover.
The CNAME should be:
autodiscoverpointing to:
autodiscover.outlook.com| Mistake | Result |
|---|---|
| Missing autodiscover CNAME | Outlook may not find settings automatically |
| Autodiscover points to old provider | Outlook may try the wrong service |
| CNAME added at wrong DNS host | Public DNS does not change |
| CNAME proxied through Cloudflare | Discovery may behave incorrectly |
| Old autodiscover record still present | Outlook may connect to old server |
Troubleshooting: SPF duplicate record warning
If an SPF checker says your SPF is duplicated, check all TXT records at the root domain.
Look for TXT records that start with:
v=spf1There should be only one.
Wrong:
v=spf1 include:spf.protection.outlook.com -all
v=spf1 include:_spf.google.com ~allCorrect if both senders are truly used:
v=spf1 include:spf.protection.outlook.com include:_spf.google.com ~allBut if Google no longer sends email for the domain, remove the Google include.
Troubleshooting: SPF does not include Microsoft 365
If Microsoft 365 sends email for your domain, SPF should include:
include:spf.protection.outlook.comFor Microsoft 365-only sending, the record is commonly:
v=spf1 include:spf.protection.outlook.com -all| Wrong | Why wrong |
|---|---|
include=spf.protection.outlook.com | Should use colon after include |
include: spf.protection.outlook.com | Extra space after colon |
include:spf.protection.outlook.com. | Trailing dot can be wrong in SPF |
| Two separate SPF records | SPF duplication |
+all | Authorizes everyone |
Do not edit SPF blindly if your domain uses third-party senders. First list all legitimate senders.
Troubleshooting: DKIM is missing or CNAMEMissing
If Microsoft reports DKIM as missing or CNAMEMissing, check:
- Did you add both selector CNAME records?
- Are they CNAME records, not TXT records?
- Are they published in Cloudflare?
- Are they DNS-only?
- Did you copy the exact targets from Microsoft?
- Did you enter
selector1._domainkeyandselector2._domainkeycorrectly? - Did Cloudflare append the domain automatically?
- Did you wait for propagation?
- Did you enable DKIM signing after adding records?
Common DKIM mistake
Wrong when Cloudflare expects only the host label:
selector1._domainkey.example.comCorrect Cloudflare Name field:
selector1._domainkey
selector2._domainkeyTroubleshooting: DMARC is missing
If DMARC is missing, add a TXT record at:
_dmarcwith content:
v=DMARC1; p=none;Do not add DMARC at @.
Wrong location:
example.comCorrect location:
_dmarc.example.comShould you use p=reject immediately?
Usually no. Start with v=DMARC1; p=none;, then confirm SPF, DKIM, Microsoft 365 sending, and third-party senders before moving to stricter policies.
Troubleshooting: website broke after adding Microsoft 365
Microsoft 365 email DNS should not normally break your website.
If your website stopped working after the email setup, you may have accidentally changed website records.
Check:
- Root A record
- Root AAAA record
wwwCNAME- Website host CNAME
- Website verification records
- Cloudflare proxy status for website records
- Whether nameservers changed
- Whether someone removed records that looked unused
Email records and website records perform different jobs. Adding MX, SPF, DKIM, DMARC, and autodiscover should not require deleting website records.
Troubleshooting: email broke after moving to Cloudflare
This is common.
When you move a domain to Cloudflare, you must copy all important DNS records into Cloudflare. If only website records were copied, the website may work but email may fail.
Make sure Cloudflare contains:
- Microsoft verification TXT
- Microsoft MX record
- SPF TXT record
- Autodiscover CNAME
- DKIM selector CNAME records
- DMARC TXT record
- Any other required Microsoft 365 records
- Any required website records
If email worked before Cloudflare and stopped after Cloudflare, missing MX/TXT/CNAME email records are likely.
Migration checklist: moving from Google Workspace to Microsoft 365
Before switching MX
- Add the domain to Microsoft 365.
- Verify the domain.
- Create users and mailboxes.
- Create aliases and groups.
- Plan email migration.
- Confirm old mail access.
- Add Microsoft SPF carefully.
- Prepare DKIM records.
- Prepare DMARC with monitoring.
- Decide when to switch MX.
During MX switch
- Add Microsoft 365 MX record.
- Remove or lower priority of Google MX records.
- Confirm new mail arrives in Microsoft 365.
- Test all important addresses.
- Test sending.
- Check SPF, DKIM, and DMARC.
After migration
- Remove old Google SPF include if Google no longer sends.
- Remove old Google DKIM if no longer needed.
- Keep old records only if a service still depends on them.
- Monitor bounces and spam placement.
- Tighten DMARC later after testing.
Do not remove Google access too early if old messages still need to be migrated or exported.
Migration checklist: moving from cPanel or web host email to Microsoft 365
In this case, the website may still need the old A record pointing to the web host, but email should move to Microsoft 365 MX.
Do not delete the website A record just because you are no longer using the web host for email.
Instead:
- Keep website A/CNAME records if the website still uses the host.
- Change MX to Microsoft 365.
- Remove old cPanel MX records when ready.
- Add Microsoft SPF.
- Add Microsoft DKIM.
- Add DMARC.
- Test sending and receiving.
Website hosting and email hosting can be separate.
Safe Microsoft 365 + Cloudflare setup order
Use this order for a clean setup:
- Confirm Cloudflare is the active DNS host.
- Add the domain in Microsoft 365.
- Add Microsoft verification TXT in Cloudflare.
- Verify the domain in Microsoft 365.
- Create users, mailboxes, aliases, groups, or shared mailboxes.
- Add Microsoft 365 MX record.
- Remove old MX records when ready.
- Add autodiscover CNAME.
- Add or update SPF.
- Make sure there is only one SPF record.
- Add Microsoft DKIM selector CNAME records.
- Enable DKIM signing in Microsoft 365.
- Add DMARC at
_dmarc. - Test receiving.
- Test sending.
- Inspect authentication results.
- Confirm website still works.
This order reduces the risk of routing email to Microsoft before recipients exist.
What not to do
Avoid these mistakes:
- Do not add DNS records at the registrar if Cloudflare is the active DNS host.
- Do not delete website A/CNAME records while setting up email.
- Do not keep old MX records unless you know why.
- Do not mix Google, Zoho, cPanel, and Microsoft MX records casually.
- Do not create multiple SPF records.
- Do not guess Microsoft DKIM targets.
- Do not use TXT records for Microsoft 365 DKIM selectors.
- Do not proxy Microsoft 365 DKIM CNAME records.
- Do not add DMARC at
@. - Do not start with
p=rejectunless all legitimate senders are authenticated. - Do not assume MX records create mailboxes.
- Do not keep changing DNS every few minutes before propagation.
Final Microsoft 365 + Cloudflare checklist
Use this final checklist:
- Cloudflare nameservers are active.
- Domain is added in Microsoft 365.
- Microsoft verification TXT record is published.
- Domain is verified in Microsoft 365.
- Users and mailboxes exist.
- Aliases, groups, or shared mailboxes exist if needed.
- Microsoft 365 MX record is published.
- Old MX records are removed or intentionally deprioritized.
- Autodiscover CNAME points to
autodiscover.outlook.com. - SPF includes
spf.protection.outlook.com. - There is only one SPF record.
- Third-party senders are included only if needed.
- DKIM selector1 CNAME exists.
- DKIM selector2 CNAME exists.
- DKIM CNAMEs are DNS-only.
- DKIM signing is enabled in Microsoft 365.
- DMARC exists at
_dmarc. - DMARC starts with
p=noneif unsure. - Receiving email is tested.
- Sending email is tested.
- SPF, DKIM, and DMARC results are checked.
- Website records are still intact.
Run a Microsoft 365 email DNS check
Use Domain Email Doctor to scan your domain's public DNS records before changing anything.
A scan can help confirm whether Cloudflare is publishing the right Microsoft 365 MX, SPF, DKIM, DMARC, and autodiscover records.
Start with the records that affect email. Do not guess and accidentally break website DNS that is already working.
Quick checklist
- Cloudflare nameservers are active.
- Domain is added in Microsoft 365.
- Microsoft verification TXT record is published.
- Domain is verified in Microsoft 365.
- Users and mailboxes exist.
- Microsoft 365 MX record is published.
- Old MX records are removed or intentionally deprioritized.
- Autodiscover CNAME points to
autodiscover.outlook.com. - SPF includes
spf.protection.outlook.com. - There is only one SPF record.
- DKIM selector1 CNAME exists.
- DKIM selector2 CNAME exists.
- DKIM CNAMEs are DNS-only.
- DKIM signing is enabled in Microsoft 365.
- DMARC exists at
_dmarc. - DMARC starts with
p=noneif unsure. - Receiving email is tested.
- Sending email is tested.
- Website records are still intact.