{"id":1695,"date":"2020-06-02T01:00:00","date_gmt":"2020-06-02T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/whats-in-a-name-dns-for-microsoft-365\/"},"modified":"2020-06-02T01:00:00","modified_gmt":"2020-06-02T01:00:00","slug":"whats-in-a-name-dns-for-microsoft-365","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/secure-workplace\/whats-in-a-name-dns-for-microsoft-365\/","title":{"rendered":"What\u2019s in a name \u2013 DNS for Microsoft 365"},"content":{"rendered":"

During the setup of services for Microsoft 365, Microsoft asked us to configure several DNS records for our domains, so I thought it might be useful to provide a little background information about what they\u2019re for, plus some tricks and tips.<\/span><\/p>\n

For most people DNS (the Domain Name Service) is a hidden background service but, without exaggeration, it\u2019s invention in 1983 into the then mysterious word of inter-networking, was one of the most important steps in creating a scalable, global network as it allowed people to refer to relatively abstract IP addresses using a recognisable and orderly naming system.\u00a0 To put its novelty into context, it wasn\u2019t for another 10 years; in 1993, that Microsoft released an update to enable Windows (then version 3.11) to connect to IP networks at all \u2013 and use DNS.\u00a0 <\/span><\/p>\n

DNS has stood the test of time and is very much at the core of the contemporary cloud systems we use today.<\/span><\/p>\n

So, what does it do in Microsoft 365?<\/span><\/p>\n

IN THE BEGINNING THERE IS A TENANT<\/span><\/h3>\n

When you first sign up to create an account in Microsoft 365, you will be asked to choose a name for your new tenant. Once you\u2019ve chosen something unique, this name will stay with you through the life of your tenant \u2013 so choose wisely.\u00a0 \u00a0This tenant name will show up in all sorts of places throughout Microsoft 365 and Azure AD and it will form part of the DNS names you use to access SharePoint and several other Microsoft 365 services.<\/span><\/p>\n

The other good news is that Microsoft will take care of all the configuration and DNS requirements for your Tenant domain name automatically so, if you\u2019re only going to use your tenant name, you can stop reading now\u2026<\/span><\/p>\n

AUTHORISATION<\/span><\/h3>\n

Once you have your tenant, one of the first things you\u2019re likely to want to do is configure your very own domain name.\u00a0 The simplest solution here is to let Microsoft manage it for you but where\u2019s the fun in that!?<\/span><\/p>\n

Assuming you\u2019ve registered your domain name and you\u2019re managing the DNS yourself, there are different types of DNS records you\u2019re going to come across.\u00a0 The first entry you\u2019ll be asked to make in DNS is to show that you own the domain.\u00a0 Microsoft will ask you to create a custom TXT or MX record to demonstrate that you have control of the DNS for the domain name and you\u2019re authorised to use it.\u00a0 <\/span><\/p>\n

Once authorised, you can start to enable services against your domain but the order you do them in will depend on how you\u2019re going to migrate or enable services. So in no particular order, here are some common services you\u2019ll be working through:<\/span><\/p>\n

AUTODISCOVER<\/span><\/h3>\n

Typically, Autodiscover uses a CNAME record called, unsurprisingly: \u201cautodiscover\u201d, to find the Exchange services configured with your domain name.\u00a0 In some cases, a CNAME record is too blunt to accommodate the various certificates and naming in use in your environment \u2013 most often your Hybrid environment.\u00a0 In these cases, an SRV record can provide the direction needed to make sure everyone can find their way.\u00a0 The important trick here is that with the help of an SRV record, Autodiscover can use any hostname with a valid certificate to find its way to your Exchange environment.\u00a0 You don\u2019t have to have a certificate which matches the name \u201cautodiscover.yourdomain.whatever\u201d exactly.<\/span><\/p>\n

Under the surface though, Autodiscover is about much more than allowing Outlook and mobile apps to find their way to Exchange; Exchange also requires Autodiscover in order to handle Free\/Busy information, manage calendar availability and several other essential Hybrid features.\u00a0 <\/span><\/p>\n

The lesson here: don\u2019t be scared of the SRV \u2013 it can save your bacon.<\/span><\/p>\n

OUTBOUND EMAIL<\/span><\/h3>\n

The next service you\u2019re likely to experience which relies on DNS is outbound email.\u00a0 Microsoft 365 will take care of the normal email routing using DNS (or custom connectors if you set them up) but email security is rapidly evolving to try to protect our \u2013 generally very insecure – messages and DNS plays a key part in this process too.<\/span><\/p>\n

Who do you think you are SPF?<\/strong><\/p>\n

The SPF (or Sender Protection Framework) allows you to publish a trusted list of sources from which your domain might send email.\u00a0 If you\u2019re only using Microsoft 365 then include:spf.protection.outlook.com is all you need, but if any other services \u2013 such as other SaaS platforms, marketing emailers or an on-premises database \u2013 will ever send messages from an address @yourdomain.whatever, then you should include a reference to these services in your SPF.\u00a0 It is your \u201cauthorised senders\u201d list.\u00a0 Without it, your email will often look like spam to those who receive email from you \u2013 or, just as bad, Microsoft will think that your CRM system is trying to spoof your domain and you\u2019ll miss a vital sales or support email.\u00a0 <\/span><\/p>\n

SPF is published as a TXT record in DNS taking the form:<\/span><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 v=spf1 include:spf.protection.outlook.com -all<\/p>\n

Long live the DKIM<\/strong><\/p>\n

DKIM (DomainKeys Identified Mail) is the next in line to the email security throne.\u00a0 By publishing DKIM selector records you can prevent others sending messages which look like they come from your domain.\u00a0 DKIM enables emails sent by Microsoft 365 to be signed using a cryptographic signature, by the sending system and for the receiving system to be able to confirm that it is legitimate.<\/span><\/p>\n

DKIM keys are published in the form of CNAME (selector) records which tell your recipients where to validate your DKIM signatures.\u00a0 The selector names are the same for all your domains but the hostnames they point to are different for each domain \u2013 which can be a little tricky.\u00a0 So here are a few tips:<\/span><\/p>\n

    \n
  1. Don\u2019t worry about DKIM, just do it<\/span><\/li>\n
  2. The selector names are the same for all domains: <\/span><\/li>\n<\/ol>\n

    selector1._domainkey<\/p>\n

    selector2._domainkey<\/p>\n

      \n
    1. Unhelpfully, Microsoft don\u2019t provide the addresses in the portal in any easy form, but you can get all your DKIM selector addresses with one PowerShell command:<\/span><\/li>\n<\/ol>\n

      Get-AcceptedDomain | Get-DkimSigningConfig | FL *CNAME<\/p>\n

      This will give you both host records you need for each of your domains.<\/span><\/p>\n

        \n
      1. So now you can create the CNAME records you need. Create one for each selector with the names #2 and the address from #3<\/span><\/li>\n<\/ol>\n

        Host name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 selector1._domainkey<\/p>\n

        Points to address or value:\u00a0\u00a0\u00a0 selector1-<domainGUID>._domainkey.<initialDomain><\/p>\n

        TTL:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3600<\/p>\n

        Host name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 selector2._domainkey<\/p>\n

        Points to address or value:\u00a0\u00a0\u00a0 selector2-<domainGUID>._domainkey.<initialDomain><\/p>\n

        TTL:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3600<\/p>\n

          \n
        1. Once the two records are created in DNS zone, the final step is to enable them in Microsoft 365. You can do this either in the Exchange Management Console, or in PowerShell:<\/span><\/li>\n<\/ol>\n

          Set-DkimSigningConfig -Identity <domain> -Enabled $true<\/p>\n

          And that\u2019s it.\u00a0 Once you have SPF and DKIM records set, Microsoft will also automatically use these to check incoming email using DMARC.\u00a0 <\/span><\/p>\n

          For more information on SPF, DKIM and DMARC, see here: https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/email-validation-and-authentication?view=o365-worldwide<\/a><\/span><\/p>\n

          INBOUND EMAIL<\/span><\/h3>\n

          Once you have set up your outbound email, the time will come to commit yourself to routing your inbound email directly into Microsoft 365.\u00a0 All Microsoft 365 plans include Exchange Online Protection features to some degree, and some plans also include Advanced Threat Protection but I\u2019m not going to talk about configuring those today \u2013 suffice to say: do that first.\u00a0<\/span><\/p>\n

          Next, it\u2019s time to do some testing: the last thing you want is to flip the switch and find your email doesn\u2019t get delivered.<\/span><\/p>\n

          So, first: find the host name record which Microsoft wants you to use for your domain.\u00a0 The simplest way is to use the Microsoft 365 Admin Console -> Setup -> Domains but if you prefer, you can use Azure AD PowerShell too:<\/span><\/p>\n

          \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Get-AzureADDomain | % {(Get-AzureADDomainServiceConfigurationRecord -Name $_.Name | where RecordType -eq MX).MailExchange}<\/span><\/p>\n

          Next, test it.\u00a0 Don\u2019t take it for granted that Microsoft has set it up properly \u2013 it takes 2 seconds to check, so check.\u00a0 <\/span><\/p>\n

          To test SMTP, either use Telnet or an SMTP testing tool on the web (such as Wormly here: https:\/\/www.wormly.com\/test_smtp_server<\/a>).\u00a0 Use the hostname which Microsoft has given you to send a message directly into Office 365 (bypassing the existing MX record).\u00a0 Then, when you receive the email, check the headers using Mirosoft\u2019s Meassage Header Analyser: https:\/\/mha.azurewebsites.net\/pages\/mha.html<\/a>.\u00a0 You can use this to check that the message has been processed and spam-checked appropriately before being delivered to your mailbox.<\/span><\/p>\n

          And now we\u2019re ready.\u00a0 <\/span><\/p>\n

          HELLO<\/span><\/h3>\n

          Microsoft 365 uses only one MX record so you can put the Microsoft provided hostname into your DNS as your new MX record with priority 0.\u00a0 Microsoft recommends a TTL of 3600 seconds (1 hour) but you might prefer to enter a shorted TTL (e.g. 60 secs or 300 secs) just in case you need to revert quickly for any reason.\u00a0 Remember, when you\u2019re putting the MX record in place to put a final . (dot) after the hostname if your DNS service needs it; otherwise your messages won\u2019t go anywhere useful.\u00a0 You can also leave your existing MX records in place for the time being while you test the mail flow. Your DNS will take a while (depending on the zone TTL) to update across the wider Internet but once the new MX record is picked up, your mail should start to be delivered direct to Microsoft 365.\u00a0 Again, check using the MHA tool (above) to confirm that the mail has been routed directly into Exchange Online Protection, and keep an eye on your quarantine and message tracking to make sure your messages are being delivered appropriately.<\/span><\/p>\n

          SKYPE FOR BUSINESS & TEAMS<\/span><\/h3>\n

          The DNS configuration for SfB and Teams is the same for all domains \u2013 and that\u2019s the good news.\u00a0 However, the bad news is that, compared to what we\u2019ve done so far, it\u2019s a little more complex.\u00a0 <\/span><\/p>\n

          As you can imagine, DNS is used extensively in SfB and Teams, so we need to give it a hand to find its way around.\u00a0 We need 4 different records in place to tie all together:<\/span><\/p>\n