💡 Our Technical Review in summary
Starting July 1, 2026, Microsoft is changing the DNS provisioning process for all new Accepted Domains added to Microsoft 365. Currently, MX records for Exchange Online typically point to a host within the `mail.protection.outlook.com` domain. For domains added after the cutoff date, Microsoft will begin provisioning A records under new subdomains within `mx.microsoft`. This change is designed to facilitate the adoption of DNSSEC (Domain Name System Security Extensions), providing improved protection against DNS spoofing and man-in-the-middle attacks.
#### Impact
- New Domains Only: This change specifically impacts domains added to the Exchange Admin Center (EAC) after July 1, 2026. Existing domains already provisioned are not immediately affected.
- DNSSEC Integration: If a new domain is already secured with DNSSEC at the registrar level, Microsoft’s new provisioning system will automatically extend DNSSEC coverage to the `mx.microsoft` record, enhancing mail flow security without manual intervention.
- Automation Failure: Any custom scripts, onboarding workflows, or third-party tools that hardcode or expect the MX record string to end in `mail.protection.outlook.com` will fail for new domains.
- Mail Flow Risk: If automation incorrectly configures a new domain with the old `mail.protection.outlook.com` format after July 2026, mail flow will not function until the MX record is corrected to the value provided by Microsoft.
#### Action Required
- Audit Automation: Review all internal scripts, PowerShell workflows, and documentation used for domain provisioning and MX record configuration.
- Update Graph API Calls: Transition any automation to use the
List serviceConfigurationRecordsGraph API. This API should be treated as the sole “source of truth” for retrieving the correctmailExchangevalue for any Accepted Domain. - Modify Validation Logic: If your environment uses DNS validation tools that look for specific strings (e.g., “protection.outlook.com”), update those patterns to accommodate the new
mx.microsoftformat. - DNSSEC Coordination: Ensure that your DNS provider settings are reviewed. If issues arise with DNSSEC on a new domain, the temporary workaround is to disable DNSSEC at the domain level via your DNS provider.
- Timeline: Ensure all technical updates are completed before the new enforcement date of July 1, 2026.
Microsoft Official Update
Service: N/A
Category: planForChange
Severity: normal
Updated February 2, 2026: We have updated the timeline. Thank you for your patience.
We’re making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after July 1st, 2026 (previously February 1st). Between early and late July 2026 (previously February), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
[How this will affect your organization:]
After July 1, 2026 (previously February 1), all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft. July 1, 2026 (previously February 1) if not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after July 1, 2026 (previously February 1) is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider.
[What you need to do to prepare:]
If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by July 1, 2026 (previously February 1) to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After July 1, 2026 (previously February 1), List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains’ MX record value. You will not be able to rely on the Accepted Domain’s A record being provisioned in mail.protection.outlook.com after July 1, 2026 (previously February 1).
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after July 1, 2026 (previously February 1), mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API.
If you expect this change to cause any issues for your organization, please share that feedback.
