check before: 2026-02-01
Product:
Exchange, Microsoft 365 admin center, Microsoft Graph
Platform:
Developer, Online, World tenant
Status:
Change type:
Admin impact, Updated message
Links:
Details:
Summary:
Starting February 1, 2025, A records for new Accepted Domains will be provisioned under mx.microsoft instead of mail.protection.outlook.com to support DNSSEC adoption. Update any automation to use the List serviceConfigurationRecords Graph API for MX records by this date to avoid mail flow issues.
Details:
Updated October 2, 2025: We have updated the timeline. Thank you for your patience.
We're making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after February 1st, 2025 (previously October 1st). Between early and late February 2026 (previously early October and late October), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-04-05
updated:
2025-10-02
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Mail Flow Disruption
If automation expecting A records to be provisioned under mail.protection.outlook.com is not updated, mail flow may fail for new Accepted Domains.
- roles: Exchange Administrator, IT Support
- references: https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http
Increased Support Tickets
Users may experience issues with email delivery, leading to an increase in support tickets and user frustration.
- roles: Help Desk Staff, IT Support
- references: https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http
Automation Failures
Existing automation workflows that rely on the old A record provisioning will fail, requiring immediate updates to avoid disruptions.
- roles: DevOps Engineer, System Administrator
- references: https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http
User Experience Degradation
Users may face delays in email communication due to misconfigured MX records, impacting productivity.
- roles: End Users, Project Managers
- references: https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http
DNSSEC Adoption Issues
Organizations not prepared for DNSSEC may face challenges in securing their domains, leading to potential security vulnerabilities.
- roles: Network Administrator, Security Officer
- references: https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Imagine you're managing a large office building. Traditionally, when someone wanted to send a letter to a specific department, they would use a well-known address format. Let's say the address was "mail.protection.outlook.com." This address worked well for a long time, but now there's a new system in place that offers better security features, much like upgrading the building's security system to prevent unauthorized access.
Starting February 1, 2025, the address format for new departments (or "Accepted Domains" in tech terms) will change to "mx.microsoft." This change is like updating the building's directory to use a new, more secure address format. The reason for this change is to adopt a security protocol called DNSSEC, which acts like a digital lock and key system, ensuring that the mail reaches the right department without being intercepted or tampered with.
If your office has an automated system that directs mail based on the old address format, you'll need to update it to recognize the new format by February 1, 2025. Think of it as reprogramming your office's mail sorting machine to understand the new directory. This update is crucial because after this date, the old address format won't work for new departments, and mail might not be delivered correctly.
To help with this transition, there's a new tool available called the List serviceConfigurationRecords Graph API. It's like a digital assistant that provides the correct address for each department. By using this tool, you can ensure that your mail sorting system always has the latest and most accurate address information.
If you don't update your system, it's like continuing to send mail to an old address that no longer exists. The mail won't reach its destination, and you'll need to manually check the new directory to find the correct address. To avoid disruptions, it's important to make these updates before the deadline.
If you foresee any challenges with this change, it's important to communicate them so that solutions can be found. This way, the transition to the new, more secure system can be as smooth as possible for everyone involved.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-10-02 | MC prepare | If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by October 1st (previously August 1st) to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After October 1st (previously August 1st), List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains' MX record value. You will not be able to rely on the Accepted Domain's A record being provisioned in mail.protection.outlook.com after October 1st (previously August 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after October 1st (previously August 1st), mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API. If you expect this change to cause any issues for your organization, please share that feedback. https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http | If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by February 1st, 2025 (previously October 1st) to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After February 1st, 2025 (previously October 1st), List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains' MX record value. You will not be able to rely on the Accepted Domain's A record being provisioned in mail.protection.outlook.com after February 1st, 2025 (previously October 1st).
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after February 1st, 2025 (previously October 1st), mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API. If you expect this change to cause any issues for your organization, please share that feedback. https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http |
| 2025-10-02 | MC Summary | Starting October 1, 2025, A records for new Accepted Domains will be provisioned under mx.microsoft to support DNSSEC adoption. Automation relying on mail.protection.outlook.com must update to use the List serviceConfigurationRecords Graph API for MX records. DNS resolution will fallback if DNSSEC is not enabled. | Starting February 1, 2025, A records for new Accepted Domains will be provisioned under mx.microsoft instead of mail.protection.outlook.com to support DNSSEC adoption. Update any automation to use the List serviceConfigurationRecords Graph API for MX records by this date to avoid mail flow issues. |
| 2025-10-02 | MC Last Updated | 08/22/2025 19:29:54 | 2025-10-02T18:59:10Z |
| 2025-10-02 | MC Messages | Updated August 22, 2025: We have updated the content. Thank you for your patience.
We're making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after October 1st, 2025 (previously August 1st). Between early and late October 2025 (previously early August and late August), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft. We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS. | Updated October 2, 2025: We have updated the timeline. Thank you for your patience.
We're making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after February 1st, 2025 (previously October 1st). Between early and late February 2026 (previously early October and late October), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft. We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS. |
| 2025-10-02 | MC Action Required By | 07/01/2025 09:00:00 | 2026-02-01T08:00:00Z |
| 2025-10-02 | MC How Affect | After October 1st, 2025 (previously August 1st), all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to "plain" DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after October 1st (previously August 1st) is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after October 1st (previously August 1st) is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider. | After February 1st, 2025 (previously October 1st), all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.February 1st, 2025 (previously October 1st) is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after February 1st, 2025 (previously October 1st) is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider. |
| 2025-08-23 | MC Messages | Updated August 6, 2025: We have updated the timeline. Thank you for your patience.
We're making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after August 1st, 2025. Between early August and late August, 2025 (previously July 1st and August 1st, we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft. We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS. | Updated August 22, 2025: We have updated the content. Thank you for your patience.
We're making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after October 1st, 2025 (previously August 1st). Between early and late October 2025 (previously early August and late August), we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft. We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS. |
| 2025-08-23 | MC How Affect | After August 1st, 2025, all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to "plain" DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after August 1st is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after August 1st is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider. | After October 1st, 2025 (previously August 1st), all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to "plain" DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after October 1st (previously August 1st) is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after October 1st (previously August 1st) is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider. |
| 2025-08-23 | MC Last Updated | 08/06/2025 21:56:26 | 2025-08-22T19:29:54Z |
| 2025-08-23 | MC prepare | If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by August 1st to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After August 1st, List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains' MX record value. You will not be able to rely on the Accepted Domain's A record being provisioned in mail.protection.outlook.com after August 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after August 1st, mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API. If you expect this change to cause any issues for your organization, please share that feedback. https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http | If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by October 1st (previously August 1st) to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After October 1st (previously August 1st), List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains' MX record value. You will not be able to rely on the Accepted Domain's A record being provisioned in mail.protection.outlook.com after October 1st (previously August 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after October 1st (previously August 1st), mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API. If you expect this change to cause any issues for your organization, please share that feedback. https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http |
| 2025-08-23 | MC Summary | Starting August 1, 2025, new Accepted Domains' A records will be provisioned under mx.microsoft subdomains to support DNSSEC adoption. Automation relying on mail.protection.outlook.com must update by August 1 to use the List serviceConfigurationRecords Graph API for MX records. DNS resolution will fallback if DNSSEC is not enabled. | Starting October 1, 2025, A records for new Accepted Domains will be provisioned under mx.microsoft to support DNSSEC adoption. Automation relying on mail.protection.outlook.com must update to use the List serviceConfigurationRecords Graph API for MX records. DNS resolution will fallback if DNSSEC is not enabled. |
| 2025-08-07 | MC prepare | If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by July 1st to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After July 1st, List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains' MX record value. You will not be able to rely on the Accepted Domain's A record being provisioned in mail.protection.outlook.com after July 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after July 1st, mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API. If you expect this change to cause any issues for your organization, please share that feedback. https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http | If you have any automation in place, for example in workflows for Domain Setup, for MX record creation that expects A records for newly provisioned Accepted Domains to be provisioned in mail.protection.outlook.com, this automation needs to be updated by August 1st to use List serviceConfigurationRecords Graph API (List serviceConfigurationRecords). Use List serviceConfigurationRecords to retrieve the mailExchange value for your MX record. After August 1st, List serviceConfigurationRecords Graph API will be the only source of truth for your Accepted Domains' MX record value. You will not be able to rely on the Accepted Domain's A record being provisioned in mail.protection.outlook.com after August 1st.
If you are using automation that expects the record to end with mail.protection.outlook.com, when you add a new Accepted Domain to the Exchange Admin Center after August 1st, mail flow may not work upon initial configuration and you will have to update your MX record to match what the Exchange Admin Center says for the domain or use the mailExchange value returned by List serviceConfigurationRecords Graph API. If you expect this change to cause any issues for your organization, please share that feedback. https://learn.microsoft.com/graph/api/domain-list-serviceconfigurationrecords?view=graph-rest-1.0&tabs=http |
| 2025-08-07 | MC MessageTagNames | Admin impact | Updated message, Admin impact |
| 2025-08-07 | MC Summary | Starting August 1, 2025, new Accepted Domains' A records will be provisioned under mx.microsoft subdomains to support DNSSEC adoption. Automation relying on mail.protection.outlook.com must update by August 1 to use the List serviceConfigurationRecords Graph API for MX records. DNS resolution will fallback if DNSSEC is not enabled. | |
| 2025-08-07 | MC Last Updated | 04/05/2025 01:12:45 | 2025-08-06T21:56:26Z |
| 2025-08-07 | MC Messages | We're making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after July 1st, 2025. Between July 1st and August 1st, 2025, we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft.
We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS. | Updated August 6, 2025: We have updated the timeline. Thank you for your patience.
We're making some changes to DNS provisioning of A records for all new Accepted Domains provisioned after August 1st, 2025. Between early August and late August, 2025 (previously July 1st and August 1st, we will gradually switch provisioning of all A records for new Accepted Domains into the new subdomains under mx.microsoft. We are doing this to reduce the friction of adopting DNSSEC in the long run. DNSSEC is a set of extensions to DNS that provides cryptographic verification of DNS records, preventing DNS spoofing and adversary-in-the-middle attacks to DNS. |
| 2025-08-07 | MC Title | DNS Provisioning Change | (Updated) DNS Provisioning Change |
| 2025-08-07 | MC How Affect | After August 1st 2025, all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to "plain" DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after July 1st is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after July 1st is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider. | After August 1st, 2025, all A records for new Accepted Domains will be provisioned into the new subdomains under mx.microsoft.
DNS resolution will safely fallback to "plain" DNS if a domain is not DNSSEC enabled. If an Accepted Domain you add to the Exchange Admin Center after August 1st is not secured with DNSSEC at the domain level (ex. contoso.com), then DNS resolution will work as usual. If an Accepted Domain you add to the EAC after August 1st is secured with DNSSEC, then DNSSEC will extend to the mx.microsoft DNS record automatically and you will get the benefits of DNSSEC without having to take any further action. Any issues with DNSSEC can be addressed by disabling DNSSEC for the Accepted Domain (ex. contoso.com) via your DNS provider. |
Last updated 4 weeks ago ago
