Add a Skipped or New Domain to a Shield Organization

Details

During initial onboarding, if a domain is skipped, Shield still onboards the users for the skipped domain, but doesn't perform full filtering unless you perform DNS and transport rules changes.

If a domain is added to the Microsoft 365 tenant after Shield onboarding, it can also be onboarded using these steps.

How to Add a Skipped or New Domain

Prepare the domain

MX Record Check

Before proceeding, ensure the MX record points to Microsoft. It cannot point to CloudFilter. Check for the tenant domain's MX record in Microsoft 365 Admin Center.

Prepare the email-enabled domain in the M365 tenant

  • Microsoft allows the addition of multiple domains to a tenant. The deployment process will recognize only email-enabled domains reported by Microsoft's API.
  • Shield is applied to all addresses in M365 tenant domains selected for Shield deployment.
  • Domains with email addresses, whether licensed or not, must be configured to enable mail access to Microsoft's API. 

    • Click the domain name if you see 'No services selected' on an email-enabled domain.
    • Go to DNS Records and Manage DNS. Follow the guide to add DNS records for the domain.
    • Adding the Exchange and Exchange Online Protection service is necessary for Shield to recognize the email-enabled domain.

Microsoft 365 Transport Rules 

The Send to Frontline, Send to Junk, and Send to Outpost transport rules will have criteria that identify the specific domains you selected during onboarding, and the skipped domains should be manually added to these rules. See the Shield Transport Rules article for details.

Onboard the skipped domain

Once the domain is prepared, you can go into the Shield Organization, click on View Domains, and then click Setup on the domain you'd like to add to Shield. 

The Entri login screen will appear to add SPF and DKIM values for the domain. Follow the screens to allow for automated record updating, or choose the option for manual entry and copy/paste the entries into the DNS records.

Verification will begin once Entri successfully completes.

Set up skipped domain.png

You may need to refresh the browser tab to see the change from Verifying to Active.

SPF and DKIM examples

The SPF and DKIM should be added for you. However, example values are included below for your reference. 

SPF TXT Record

  • v=spf1 include:spf.protection.outlook.com include:spf.shield.security -all
  • Note that there may be other entries in the SPF record that should be preserved.

DKIM CNAME Records 

  • shield1._domainkey
    • domain-tld.selector1._domainkey.shield.security
  • shield2._domainkey
    • domain-tld.selector2._domainkey.shield.security

Replace domain-tld with the domain you are adding to Shield, keeping the '-' in place.

Example:

codymulti-work.selector2._domainkey.shield.security

Getting Help

If you need assistance, please contact the Partner Success team.

Related to

Updated

Was this article helpful?

0 out of 0 found this helpful