To set up Microsoft 365 Exchange Online (formerly Office 365) in cPanel, please follow the following steps in conjunction with the instructions provided to you by Microsoft.
Access cPanel's Zone Editor
Login to cPanel, then go to Zone Editor, and click "Manage" beside the domain name you are setting up. This will allow you to add/update DNS records for the domain(s) in question.
Add TXT record to authenticate your domain
First, Microsoft will need to authenticate that you own the domain. Do this by adding the TXT record they supply:
example.com.au. 300 TXT MS=ms000000
Then, authenticate the domain in Microsoft's portal.
Configure email authentication using SPF, DKIM and DMARC
For background information on email sending authentication, see our article DKIM, SPF & DMARC Explained.
SPF
At a minimum, Microsoft will require you to update your SPF record to permit their network to send email on your behalf.
If you already have an SPF record, you will want to update it to include the "include:spf.protection.outlook.com" statement. You can then remove the "+mx". If the website is hosted by Precedence, you can also remove the "+a", provided that the "include:_spf.pre.net.au" statement remains. Do not remove other statements unless you are sure you do not need them. Reach out to Precedence for help if you're unsure, and we can make recommendations.
example.com.au. 300 TXT v=spf1 include:_spf.pre.net.au include:spf.protection.outlook.com -all
We recommend testing your SPF record afterwards with a tool such as MX Toolbox to check for validation or too-many-DNS-lookup issues.
DKIM
We recommend that you add DKIM keys specific to your domain. Obtain the keys by following this Microsoft guide on setting up DKIM, then add them as CNAME records to your domain, like so:
selector1._domainkey 300 CNAME selector1-example-com-au._domainkey.example.onmicrosoft.com
selector2._domainkey 300 CNAME selector2-example-com-au._domainkey.example.onmicrosoft.com
DMARC
We recommend that you include a DMARC policy. If you already have a record for "_dmarc.example.com.au", leave it in place. If not, at a minimum, add a policy that "does nothing" like this:
_dmarc 300 TXT v=DMARC1; p=none;
...but for effective protection against spoofing, this should be a "reject" policy. See DKIM, SPF & DMARC Explained for more information. If this is a new domain where you don't need to worry about testing pre-existing email sending services, you can just use the following policy to prevent spoofing:
_dmarc 300 TXT v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=100;fo=0:d;rf=afrf;ri=86400;rua=mailto:dmarc@pre.net.au;ruf=mailto:dmarc@pre.net.au
(The email address dmarc@pre.net.au will allow Precedence to provide assistance with any DMARC false positives, if needed. If you are responsible for managing email infrastructure for this domain, this should be an email address or DMARC monitoring service that you control.)
We recommend testing your DMARC record afterwards with a tool such as MX Toolbox to check for validation or policy issues.
Update MX record
When you are ready for mail to start flowing through Microsoft 365 Exchange Online, add the MX record provided by Microsoft:
example.com.au. 300 MX 0 example-com-au.mail.protection.outlook.com.
Then, remove any other MX records, so that only the above MX record is in place.
Update Email Routing
cPanel must be instructed that email is no longer being handled by cPanel, otherwise, any email sent within the server (e.g. from a website) will go directly into cPanel's mail platform instead of the MX record.
To do this, go to cPanel > Email Routing and change the option to "Remote Mail Exchanger".
(You could also choose "Automatically Detect Configuration", but as with anything automatic, there are scenarios where it might detect incorrectly. We recommend being explicit.)
Add additional Microsoft records (optional)
Microsoft may recommend additional records depending on what services you are using.
Common examples include:
autodiscover 300 CNAME autodiscover.outlook.com. sip 300 CNAME sipdir.online.lync.com. lyncdiscover 300 CNAME webdir.online.lync.com. msoid 300 CNAME clientconfig.microsoftonline-p.net. enterpriseregistration 300 CNAME enterpriseregistration.windows.net. enterpriseenrollment 300 CNAME enterpriseenrollment.manage.microsoft.com. _sip._tls 300 SRV 100 1 443 sipdir.online.lync.com. _sipfederationtls._tcp 300 SRV 100 1 5061 sipfed.online.lync.com.
Need help?
We are more than happy to make DNS updates on your behalf, provide advice, or investigate problems. Just reach out to our support team and we'll do our best to assist.
