Details
During initial onboarding, if a domain is skipped, Shield still onboards the users for the skipped domain, but doesn't perform full filtering unless you perform DNS and transport rules changes.
If a domain is added to the Microsoft 365 tenant after Shield onboarding, it can also be onboarded using these steps.
How to Add a Skipped or New Domain
Prepare the domain
MX Record Check
Before proceeding, ensure the MX record points to Microsoft or Shield. It cannot point to CloudFilter. Check for the tenant domain's MX record in Microsoft 365 Admin Center. If the Shield value is preferred, add the record in the form of: domain-tld.in.shield.security
Example for psuccess2.org: psuccess2-org.in.shield.security
Subdomain example for support.psuccess2.org: support-psuccess2-org.in.shield.security
Prepare the email-enabled domain in the M365 tenant
- Microsoft allows the addition of multiple domains to a tenant. The deployment process will recognize only email-enabled domains reported by Microsoft's API.
- Shield is applied to all addresses in M365 tenant domains selected for Shield deployment.
- Domains with email addresses, whether licensed or not, must be configured to enable mail access to Microsoft's API.
- Click the domain name if you see 'No services selected' on an email-enabled domain.
- Go to DNS Records and Manage DNS. Follow the guide to add DNS records for the domain.
- Adding the Exchange and Exchange Online Protection service is necessary for Shield to recognize the email-enabled domain.
Microsoft 365 Transport Rules
The Send to Frontline, Send to Junk, and Send to Outpost transport rules will have criteria that identify the specific domains you selected during onboarding, and the skipped domains should be manually added to these rules. See the Shield Transport Rules article for details.
Shield - Send to Frontline
Apply this rule if
A recipient's domain is:
domain.tld (example: pssuccess2.org)
domainalias.tld (example: abigailsinclairthethird.com)
Do not delete the existing domain. Add a second value to the recipient's domain.
Shield - Send to Bracket
A sender domain is:
domain.tld (example: pssuccess2.org)
domainalias.tld (example: mpdemo.net)
Do not delete the existing domain. Add a second value to the sender domain.
Shield - Send to Outpost
A sender domain is:
domain.tld (example: pssuccess2.org)
domainalias.tld (example: mpdemo.net)
Do not delete the existing domain. Add a second value to the sender domain.
Onboard the skipped domain
Once the domain is prepared, you can go into the Shield Organization, click on View Domains, and then click Setup on the domain you'd like to add to Shield.
The Entri login screen will appear to add SPF and DKIM values for the domain. Follow the screens to allow for automated record updating, or choose the option for manual entry and copy/paste the entries into the DNS records.
For GoDaddy domains, please follow the manual setup at this time.
Verification will begin once Entri successfully completes.
You may need to refresh the browser tab to see the change from Verifying to Active.
SPF and DKIM examples
The SPF and DKIM should be added for you. However, example values are included below for your reference.
SPF TXT Record
- v=spf1 include:spf.protection.outlook.com include:spf.shield.security -all
- Note that there may be other entries in the SPF record that should be preserved.
DKIM CNAME Records
-
shield1._domainkey
- domain-tld.selector1._domainkey.shield.security
-
shield2._domainkey
- domain-tld.selector2._domainkey.shield.security
Replace domain-tld with the domain you are adding to Shield, keeping the '-' in place.
Example:
psuccess2-org.selector1._domainkey.shield.security
psuccess2-org.selector2._domainkey.shield.securitySubdomain values for DKIM are in the format subdomain-domain-tld.
Example:
tech-psuccess2-org.selector1._domainkey.shield.security
tech-psuccess2-org.selector2._domainkey.shield.securityRelated to
Updated