Summary
Details
Updated October 2, 2025: We have updated the timeline. Thank you for your patience.
We’re making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after February 1st, 2025 (previously October 1st). Between early and late February 2026 (previously early October and late October), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
[How this will affect your organization:]
After February 1st, 2025 (previously October 1st), all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.February 1st, 2025 (previously October 1st) is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after February 1st, 2025 (previously October 1st) is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider.
[What you need to do to prepare:]
If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by February 1st, 2025 (previously October 1st) to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After February 1st, 2025 (previously October 1st), List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains’ MX record value. You will not be able to rely on the Accepted Domain’s A record being provisioned in mail.protection.outlook.com after February 1st, 2025 (previously October 1st).
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after February 1st, 2025 (previously October 1st), mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API.
If you expect this change to cause any issues for your organization, please share that feedback.
Change History
Updated August 22, 2025: We have updated the content. Thank you for your patience.
We’re making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after October 1st, 2025 (previously August 1st). Between early and late October 2025 (previously early August and late August), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
[How this will affect your organization:]
After October 1st, 2025 (previously August 1st), all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to “plain” DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after October 1st (previously August 1st) is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after October 1st (previously August 1st) is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider.
[What you need to do to prepare:]
If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by October 1st (previously August 1st) to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After October 1st (previously August 1st), List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains’ MX record value. You will not be able to rely on the Accepted Domain’s A record being provisioned in mail.protection.outlook.com after October 1st (previously August 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after October 1st (previously August 1st), mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API.
If you expect this change to cause any issues for your organization, please share that feedback.
Updated October 2, 2025: We have updated the timeline. Thank you for your patience.
We’re making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after February 1st, 2025 (previously October 1st). Between early and late February 2026 (previously early October and late October), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
[How this will affect your organization:]
After February 1st, 2025 (previously October 1st), all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.February 1st, 2025 (previously October 1st) is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after February 1st, 2025 (previously October 1st) is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider.
[What you need to do to prepare:]
If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by February 1st, 2025 (previously October 1st) to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After February 1st, 2025 (previously October 1st), List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains’ MX record value. You will not be able to rely on the Accepted Domain’s A record being provisioned in mail.protection.outlook.com after February 1st, 2025 (previously October 1st).
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after February 1st, 2025 (previously October 1st), mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API.
If you expect this change to cause any issues for your organization, please share that feedback.
Updated August 6, 2025: We have updated the timeline. Thank you for your patience.
We’re making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after August 1st, 2025. Between early August and late August, 2025 (previously July 1st and August 1st, we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
[How this will affect your organization:]
After August 1st, 2025, all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to “plain” DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after August 1st is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after August 1st is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider.
[What you need to do to prepare:]
If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by August 1st to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After August 1st, List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains’ MX record value. You will not be able to rely on the Accepted Domain’s A record being provisioned in mail.protection.outlook.com after August 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after August 1st, mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API.
If you expect this change to cause any issues for your organization, please share that feedback.
Updated August 22, 2025: We have updated the content. Thank you for your patience.
We’re making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after October 1st, 2025 (previously August 1st). Between early and late October 2025 (previously early August and late August), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
[How this will affect your organization:]
After October 1st, 2025 (previously August 1st), all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to “plain” DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after October 1st (previously August 1st) is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after October 1st (previously August 1st) is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider.
[What you need to do to prepare:]
If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by October 1st (previously August 1st) to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After October 1st (previously August 1st), List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains’ MX record value. You will not be able to rely on the Accepted Domain’s A record being provisioned in mail.protection.outlook.com after October 1st (previously August 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after October 1st (previously August 1st), mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API.
If you expect this change to cause any issues for your organization, please share that feedback.
We’re making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after July 1st, 2025. Between July 1st and August 1st, 2025, we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
[How this will affect your organization:]
After August 1st 2025, all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to “plain” DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after July 1st is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after July 1st is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider.
[What you need to do to prepare:]
If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by July 1st to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After July 1st, List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains’ MX record value. You will not be able to rely on the Accepted Domain’s A record being provisioned in mail.protection.outlook.com after July 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after July 1st, mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API.
If you expect this change to cause any issues for your organization, please share that feedback.
Updated August 6, 2025: We have updated the timeline. Thank you for your patience.
We’re making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after August 1st, 2025. Between early August and late August, 2025 (previously July 1st and August 1st, we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
[How this will affect your organization:]
After August 1st, 2025, all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to “plain” DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after August 1st is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after August 1st is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider.
[What you need to do to prepare:]
If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by August 1st to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After August 1st, List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains’ MX record value. You will not be able to rely on the Accepted Domain’s A record being provisioned in mail.protection.outlook.com after August 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after August 1st, mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API.
If you expect this change to cause any issues for your organization, please share that feedback.
Never Miss a Microsoft 365 Update
Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.