![(Updated) DNS Provisioning Change [MC1048624]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-cottonbro-9668883-1024x683.webp "(Updated) DNS Provisioning Change [MC1048624] 1")
Updated August 22, 2025: We have updated the content. Thank you for your patience.
We’re making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after October 1st, 2025 (previously August 1st). Between early and late October 2025 (previously early August and late August), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
[How this will affect your organization:]
After October 1st, 2025 (previously August 1st), all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to “plain” DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after October 1st (previously August 1st) is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after October 1st (previously August 1st) is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider.
[What you need to do to prepare:]
If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by October 1st (previously August 1st) to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After October 1st (previously August 1st), List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains’ MX record value. You will not be able to rely on the Accepted Domain’s A record being provisioned in mail.protection.outlook.com after October 1st (previously August 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after October 1st (previously August 1st), mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API.
If you expect this change to cause any issues for your organization, please share that feedback.
Source: Microsoft
<<< [MC1048624] Archive
Tooltip: View earlier revisions of this post
Latest Posts
- Announcing the AWS Billing and Cost Management MCP server
- (Updated) Microsoft Viva Engage | Email sender domain migration from @yammer.com to @engage.mail.microsoft [MC1117814]
- (Updated) Microsoft Loop – Microsoft 365 Groups for Managing New Loop workspaces [MC929023]
- Amazon RDS for Db2 now supports read replicas
