Recently in doing a migration project to Exchange Online Protection (for a large number of domains) it was necessary on a regular basis to make changes to DNS records, and part of that is validating that the records were changed to the expected and correct values.
Therefore I created a PowerShell script (Validate-ExoDnsRecords.ps1) to assist with this. The script will check the following items for a domain that you specify:
- That a valid Exchange Online protection MX record exists for the domain, with a preference of 0
- That a valid CNAME exists for autodiscover.outlook.com
- That a valid SPF record exists with an include for ‘include:spf.protection.outlook.com’, or that there is an SPF redirect
- That valid selector1 and selector2 records exist for DKIM with a validly formatted CNAME name host.
A complete list of the Microsoft 365 DNS pre-requisite configuration is available: https://docs.microsoft.com/en-us/microsoft-365/enterprise/external-domain-name-system-records?view=o365-worldwide
Sample usage
Below is an example using it against this domain, and as you can see I now have a todo to fix my DKIM records!
.\Validate-ExoDnsRecords.ps1 -Domain itdevlab.au