Registration
Registrar, registrant, expiration, auto-renew, payment, transfer lock, and recovery.
Protect the full chain behind a Microsoft 365 custom domain: legal registration, registrar access, authoritative DNS hosting, Microsoft 365 verification, email routing and authentication, controlled change, renewal, transfer, and retirement.

A custom domain depends on organizations and systems outside the Microsoft 365 tenant. Losing registrar access, missing renewal, changing nameservers without a zone copy, or editing MX and email-authentication records without validation can interrupt sign-in, mail flow, device enrollment, applications, websites, and customer trust.
Registrar, registrant, expiration, auto-renew, payment, transfer lock, and recovery.
Authoritative nameservers, DNS host, DNSSEC, zone access, API tokens, and exports.
Verified/default domain, accepted-domain behavior, identities, aliases, groups, and apps.
MX, Autodiscover, SPF, DKIM, DMARC, verification TXT, third-party senders, and web records.
Registrar and DNS host are not always the same provider. Document both systems and the authoritative nameservers. A registrar login alone may not provide access to the active DNS zone.
| Area | What to record | Owner and evidence | Review trigger |
|---|---|---|---|
| Business identity | Domain purpose, legal/business owner, brands, production status, business services, criticality. | Domain register, owner approval, service map. | Acquisition, rebrand, divestiture, new service, or annual review. |
| Registrar | Provider, account/tenant ID, registrant, admin/technical contacts, expiry, auto-renew, payment, transfer lock. | Registrar export/screenshots, recovery test, named business owner. | Contact/payment change, renewal, provider transfer, or access failure. |
| DNS hosting | Authoritative nameservers, provider/account, zone ID, DNSSEC state, API credentials, access roles, export/backup. | NS query, provider configuration, access review, zone export. | Nameserver, provider, credential, DNSSEC, or automation change. |
| Microsoft 365 | Verification status, default use, accepted-domain type, identities, aliases, groups, applications, and tenant purpose. | Admin-center/Exchange reports, object queries, architecture record. | Tenant migration, domain removal, UPN/SMTP change, or merger. |
| Email routing | MX targets/priority, connectors, gateways, hybrid path, third-party filtering, continuity dependencies. | DNS query, mail-flow diagram, test messages, connector evidence. | Mail migration, gateway change, incident, or vendor termination. |
| Email authentication | SPF sources/lookup budget, DKIM selectors and enablement, DMARC policy/addresses, reporting owner. | Published records, Microsoft settings, aggregate reports, test results. | New sender, provider change, key rotation, or DMARC policy change. |
Domain work crosses legal, financial, identity, messaging, web, security, and vendor teams. Use a cross-functional record rather than treating DNS as an isolated technical task.
Use a business-controlled account, accurate registrant details, role-based access, MFA, recovery contacts, auto-renew, approved payment, transfer lock, and domain inventory entry.
Confirm authoritative nameservers and DNS host ownership. Enable supported security controls, restrict API tokens, export the zone, and document recovery and change paths.
Add the custom domain and publish the tenant-specific verification record. Record the tenant, verification method, default-domain decision, and intended services.
Create required users/mailboxes and plan UPN/SMTP, accepted domains, coexistence, connectors, third-party senders, Autodiscover, and support communication before changing MX.
Change records under approval, honor TTL/propagation, query multiple resolvers, test inbound/outbound mail, validate SPF/DKIM/DMARC, and monitor user/business impact.
Monitor expiration, contacts, nameservers, DNS changes, certificates, mail authentication, third-party senders, vendor access, and recovery readiness.
Inventory every Microsoft 365 and external reference, move identities/services, preserve required data, change routing, remove tenant dependencies, and retain ownership defensively where appropriate.
| Record | Purpose | Review checks | Common failure |
|---|---|---|---|
| TXT verification | Proves domain ownership to Microsoft 365 without routing production traffic. | Tenant-specific value, change record, whether obsolete verification records can be removed. | Wrong zone, copied value, stale multi-tenant proof, or use of MX verification with unsafe priority. |
| MX | Routes inbound email to Exchange Online or an approved gateway. | Targets, priorities, old provider records, gateway/connector alignment, TTL, failover assumptions. | Competing MX paths, stale former provider, unexpected gateway bypass, or wrong priority. |
| Autodiscover CNAME | Helps supported Outlook clients locate Exchange Online configuration. | Correct target, hybrid design, legacy conflicts, resolver results, certificate implications. | Legacy server target, conflicting A/CNAME, split-DNS difference, or cached stale record. |
| SPF TXT | Declares authorized sending infrastructure for the domain. | Single SPF record, all approved senders, mechanisms/qualifier, DNS lookup budget, ownership of includes. | Multiple SPF records, missing vendor, excessive lookups, broad mechanisms, or stale include. |
| DKIM CNAME | Delegates Microsoft 365 DKIM selectors and supports cryptographic signing. | Both selectors, tenant-specific targets, DKIM enabled, selector rotation, alignment and message tests. | Copied from another tenant/domain, one missing selector, DNS present but DKIM disabled. |
| DMARC TXT | Publishes alignment policy and reporting destinations. | Policy, percentage, subdomain policy, report addresses, authorization for external destinations, reporting owner. | Enforcement before sender discovery, unread reports, invalid syntax, or unmanaged report mailbox. |
SPF rule: do not create a second SPF record for Microsoft 365. Microsoft recommends maintaining one SPF TXT record that includes every authorized sender. Test lookup count and message alignment before enforcement changes.
MX cutover: Microsoft recommends creating users and mailboxes before moving MX to Microsoft 365. A DNS change is not a mailbox migration or mail-flow design by itself.
Registrar, DNS host, recovery email, payment, or API control remains tied to an external or departed person.
Auto-renew is off, payment is expired, notices go to an unmonitored mailbox, or no secondary owner validates renewal.
The registrar points to a DNS host no one owns, or a planned provider transfer lacks a complete zone and DNSSEC plan.
MX, gateway, connector, hybrid, third-party filtering, and accepted-domain behavior do not match the documented architecture.
Former senders remain in SPF, DKIM is not enabled or rotated, DMARC reports are unread, or enforcement exceeds sender readiness.
Users, admin sign-ins, aliases, mailboxes, contacts, groups, applications, or accepted-domain dependencies still reference it.
Microsoft requires a custom domain to stop being the default and to be removed from identities and messaging objects before tenant removal. Large environments require queries and evidence beyond what a single portal page can show.
Removing a custom domain can cause accounts to revert to the tenant’s onmicrosoft.com domain. Validate the current Microsoft removal behavior, user impact, mail routing, and migration sequence before approving the change.
No. The registrar manages the domain registration and delegation, while a different provider can host the authoritative DNS zone. Record both providers and confirm the nameservers actually delegated at the registry.
Management depends on the registrar/DNS integration and chosen setup. Many organizations retain DNS with a third-party provider and publish the Microsoft-provided records there.
No. Microsoft advises maintaining a single SPF TXT record that includes Microsoft 365 and every other approved sender. Multiple SPF records can cause SPF evaluation errors.
Validate authoritative and public DNS answers, inbound and outbound mail for representative recipients, gateways/connectors, non-delivery reports, Autodiscover, SPF/DKIM/DMARC alignment, queues, monitoring, and user/business impact.
The domain cannot be default or remain referenced by users, admin sign-ins, aliases, mailboxes, contacts, groups, Teams, distribution lists, and other tenant objects. Query and remediate every dependency before removal.
IT Perfection helps Orange County and Southern California organizations document registrar and DNS ownership, plan Microsoft 365 domain changes, secure email records, validate mail flow, prepare transfers, and retire domains safely.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. DNS, registrar, Microsoft 365, email, and contractual behavior change; validate current provider documentation and test in context. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.