Collaboration workloadsIntermediate21 min read

What Does Accepted domain Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

An accepted domain is a domain name that you add to your Microsoft 365 tenant so that your organization can send and receive emails using that domain. It tells the system which email addresses are considered yours. You must prove you own the domain before it can be used for email routing.

Commonly Confused With

Accepted domainvsVerified domain

A verified domain is a domain for which you have proven ownership via DNS, but it may not yet be configured as an accepted domain for email. An accepted domain is always a verified domain, but the reverse is not true until you set it up for mail flow.

You add contoso.com to your tenant and verify it, but you forget to add it to accepted domains. The domain is verified but not accepted, so emails to contoso.com bounce.

Accepted domainvsEmail address policy

An email address policy automates the assignment of SMTP addresses to users, but it only works for domains that are already accepted as authoritative. The policy does not make a domain accepted; it just assigns addresses from an existing accepted domain.

You create an email address policy to give every user an @fabrikam.com address, but fabrikam.com is not yet an accepted domain. The policy fails to apply.

Accepted domainvsSender domain

A sender domain is the domain used in the From address of outgoing emails. It must be an accepted domain, but accepted domains also control incoming mail. A sender domain is about sending, while accepted domain is about both sending and receiving.

You can send as @mycompany.com only if @mycompany.com is an accepted domain, but you also need it to receive replies to your outgoing emails.

Accepted domainvsMail flow connector

A mail flow connector defines how emails are sent to or from a specific domain. Accepted domains define what domains you accept mail for. Connectors are used to route emails, while accepted domains are the list of domains you own.

You can have a connector to send emails to a partner domain, but that partner domain is not an accepted domain on your tenant.

Must Know for Exams

For the MS-102 exam, which covers Microsoft 365 administration including messaging, accepted domains are a core objective. The MS-102 exam expects you to know how to add, verify, and configure accepted domains, as well as understand the differences between authoritative, internal relay, and external relay types. Questions often appear in the scenario-based format where you are given a business requirement, such as a company merging with another organization or migrating mailboxes to cloud, and you must choose the correct domain type and configuration steps.

You will also encounter questions that combine accepted domains with email address policies and user provisioning. For example, a question might ask: 'A company wants all new users to automatically get an email address with the domain contoso.com. What must be done first?' The correct answer is to add and verify contoso.com as an accepted domain.

Other exam objectives include troubleshooting email flow issues caused by misconfigured accepted domains. You might be given a scenario where email to a new domain bounces with an NDR code 550 5.1.1, and you need to realize that the domain is not configured as an accepted domain. Or a hybrid scenario where email to on-premises users fails because the domain is set to authoritative instead of internal relay.

PowerShell commands are also frequently tested. You may be asked to identify the correct cmdlet to add a new accepted domain (New-AcceptedDomain) or to change the domain type (Set-AcceptedDomain -DomainType InternalRelay). Understanding the syntax and parameters is essential.

the exam may test your knowledge of the verification process. You will need to know which DNS record types can be used for domain verification (TXT or MX), and what happens if the verification fails. Questions about domain ownership verification are common, as this is a prerequisite for any accepted domain.

Finally, the MS-102 exam includes questions about accepted domain limits. There are limits on the number of custom domains you can add to a tenant depending on your subscription plan. You should be aware of these limits to answer questions about scalability and licensing.

accepted domains are a recurring topic across multiple question types: configuration, verification, troubleshooting, and scenario-based planning. Mastering this concept will directly improve your score.

Simple Meaning

Think of an accepted domain like adding a new phone number to your smartphone. Your phone already has a default number assigned to it, but you can add additional numbers that people can use to call you. In the same way, Microsoft 365 comes with a default domain like yourorg.onmicrosoft.com, but you likely want to use your own custom domain like yourcompany.com for professional email.

When you add an accepted domain, you are telling Microsoft 365, "I own this domain, and I want to use it for email." But simply telling Microsoft is not enough. You also need to prove ownership by adding a special DNS record, usually a TXT record, which acts like a secret handshake. Once Microsoft verifies the record, the domain becomes an accepted domain.

There are three types of accepted domains in Exchange Online: authoritative, internal relay, and external relay. An authoritative domain means that all email addresses ending with that domain belong to your organization, and Exchange Online will only deliver messages to mailboxes it knows about. An internal relay domain is used when you have some mailboxes on-premises and some in the cloud, so email is routed to both. An external relay domain lets you forward email for addresses that are not hosted inside your organization, such as for a partner company.

In everyday business, this is critical because without an accepted domain, any email sent to someone@yourcompany.com would bounce back as undeliverable. The accepted domain system ensures that your email flows correctly and securely to the right destination.

Full Technical Definition

An accepted domain in Exchange Online is a configured namespace that defines the SMTP address space for which the Microsoft 365 organization is responsible. Technically, it is an entry in the organization's transport configuration that tells the Exchange Online transport pipeline how to handle messages addressed to recipients in that domain.

When an email arrives at Exchange Online, the transport service checks the recipient's domain against its list of accepted domains. If the domain is found, the system applies the domain type: authoritative, internal relay, or external relay. For authoritative domains, Exchange Online checks if the recipient mailbox exists within its directory. If it does, the message is delivered. If not, a non-delivery report (NDR) is generated. This is the default behavior and is the most common setup for businesses that use only cloud mailboxes.

For internal relay domains, the transport service will look for the recipient both in Exchange Online and in any on-premises Exchange servers via a configured Send connector. This is typical in hybrid deployments where some mailboxes remain on-premises. The internal relay type ensures that email destined for a mailbox still in the on-premises environment is forwarded correctly without being rejected.

External relay domains are used less frequently but are important for scenarios where the organization needs to forward email to external email systems, such as a partner's SMTP server. In this case, Exchange Online accepts the message and relays it out to the external mail system. This requires careful configuration to prevent the system from becoming an open relay, which could be exploited to send spam.

Accepted domains are managed through the Exchange admin center or using PowerShell cmdlets like New-AcceptedDomain, Set-AcceptedDomain, and Get-AcceptedDomain. Each accepted domain must be verified by adding a DNS TXT record, and the domain must be added to the Microsoft 365 tenant before it appears in the accepted domains list. Accepted domains are closely tied to email address policies and user mailbox configuration, as they determine the primary SMTP addresses assigned to users.

Real-Life Example

Imagine you run a small bakery called Sweet Breads. You have a personal email address for orders, sweetbreads@gmail.com, but you want to look more professional by using orders@sweetbreads.com. To do that, you first need to buy the domain name sweetbreads.com. Then, you need to tell your email provider, Google Workspace or Microsoft 365, that you own that domain. That is like showing your ID to prove you are the owner of the domain.

Once your email provider confirms your ownership, you can start receiving emails sent to orders@sweetbreads.com. But there is a catch: if you also have a separate reservation system that uses reservations@sweetbreads.com, you must make sure that domain is also set up as an accepted domain and that the reservation system is configured to receive emails. Otherwise, those emails might bounce or get lost.

In the same way, when you set up a new phone line for the bakery, you have to tell the phone company that you want that number, and they assign it to your account. Without that activation, calls to that number would go nowhere. An accepted domain does exactly that for email: it activates the domain so that emails sent to it land in the correct mailbox instead of disappearing into the void.

Why This Term Matters

Accepted domains are fundamental to email operations in Microsoft 365 because they directly control whether your organization can send and receive emails using your own brand. Without configuring accepted domains, your users would be stuck with the default onmicrosoft.com domain, which looks unprofessional and can cause deliverability issues because many spam filters treat unknown domains suspiciously.

For IT professionals, understanding accepted domains is crucial for planning hybrid migrations. When you move mailboxes from an on-premises Exchange server to Exchange Online, you must configure the accepted domain as internal relay so that email flows correctly between the two environments during the transition. Misconfiguring this can lead to email loss or bounces, which directly impacts business communication.

Security is another major reason. Accepted domains with the external relay type must be carefully secured to prevent open relay abuse. If an external relay domain is misconfigured, attackers can use your email system to send spam, which can get your domain blacklisted and ruin your organization's email reputation.

From a compliance standpoint, accepted domains help you control the scope of your email system. Only domains that are accepted are processed by Exchange Online, reducing the risk of data leakage through unmanaged domains. For example, if you accidentally add a misspelled domain, you could inadvertently receive emails meant for another organization, leading to data privacy issues.

In short, accepted domains are the gatekeeper of your email system. They decide which emails are your responsibility and which should be rejected. Properly managing them is a foundational step in maintaining a healthy, secure, and professional email environment.

How It Appears in Exam Questions

Accepted domain questions on the MS-102 exam appear in three main patterns: configuration scenarios, hybrid migration scenarios, and troubleshooting scenarios.

Configuration scenarios: You are asked to add a new custom domain for email. The question might describe a company that just bought a new domain, let's say fabrikam.com, and wants to use it for email addresses. You are given options: Add the domain as external relay, add it as authoritative, or verify ownership first. The correct approach is to verify ownership first, then add it as authoritative if all mailboxes are in the cloud. The question might also ask which DNS record to use: a TXT record with a verification code provided by Microsoft 365.

Hybrid migration scenarios: A company has on-premises Exchange and is moving some mailboxes to Exchange Online. The domain contoso.com is already an accepted domain. After moving half the mailboxes, some emails to on-premises users bounce. The question asks why and what to change. The answer is that the accepted domain type needs to be changed from authoritative to internal relay so that Exchange Online forwards emails to the on-premises server for users not yet migrated.

Troubleshooting scenarios: Users report that emails sent to a new domain, support@newcompany.com, are being rejected. You check the accepted domains list and see that newcompany.com is missing. The question asks: 'What is the first step to resolve this?' The correct answer is to add and verify the domain as an accepted domain. Another troubleshooting question might involve an NDR with error '550 5.1.1 User unknown' even though the mailbox exists. This suggests that the accepted domain is set to external relay instead of authoritative, so Exchange Online is not checking the directory for the recipient.

Scenario questions with multiple steps: You are given a requirement to set up email for a subsidiary using a different domain. The question asks for the correct order of operations: verify domain, add accepted domain, configure email address policy, assign licenses. The sequence matters because you cannot configure an email address policy for a domain that is not yet accepted.

Finally, you might see comparison questions asking you to identify the correct domain type for a given requirement. For example, 'Which accepted domain type should be used when you want to forward email to an external email system that is not part of your organization?' The answer is external relay.

In all cases, the exam rewards precise knowledge of the domain types and their use cases, as well as the verification and configuration steps.

Practise Accepted domain Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are the IT administrator for Contoso Ltd., a company that has been using Microsoft 365 for years with the domain contoso.com as an authoritative accepted domain. Recently, Contoso acquired a smaller company, Fabrikam Inc., which has its own domain fabrikam.com. The CEO wants all Fabrikam employees to be migrated into the same Microsoft 365 tenant, but they want to keep their existing fabrikam.com email addresses for now.

Your first task is to add fabrikam.com to the tenant as a custom domain. You go to the Microsoft 365 admin center, click on Domains, and then Add domain. You enter fabrikam.com and are given a TXT record value. You ask the Fabrikam IT team to add this TXT record to their DNS zone. Once the DNS propagates and Microsoft verifies the record, fabrikam.com becomes verified but not yet an accepted domain.

Next, you need to make fabrikam.com an accepted domain in Exchange Online. Since the Fabrikam users will have their mailboxes entirely in Exchange Online, you configure the domain type as authoritative. This ensures that any email sent to user@fabrikam.com will be delivered to the corresponding mailbox in your tenant, and if the mailbox does not exist, the sender receives an NDR.

Now, you need to create an email address policy to automatically assign fabrikam.com email addresses to the new users. You go to Exchange admin center, select mail flow, then email address policies, and create a new policy that applies to all users from the Fabrikam department. The policy specifies that the primary SMTP address should be @fabrikam.com.

After the policy is applied, the new Fabrikam users are created with user@fabrikam.com as their email address. You test by sending an email from your personal contoso.com account to a Fabrikam user. The email arrives successfully.

One week later, a Fabrikam user reports that they are not receiving emails from a legacy on-premises application that sends to their fabrikam.com address. You investigate and discover that the application is hosted on an on-premises server that sends directly to the internet, bypassing the accepted domain verification. You configure the application to use your Exchange Online SMTP server, and emails start flowing. This scenario illustrates the real steps and pitfalls of adding a new accepted domain in a multi-domain environment.

Common Mistakes

Adding a domain to the tenant but not adding it as an accepted domain in Exchange Online

The domain is registered in Microsoft 365 but Exchange Online does not know to accept emails for that domain, so emails bounce.

After verifying the domain, go to Exchange admin center > Mail flow > Accepted domains and add the domain with the appropriate type.

Setting an accepted domain to authoritative when some mailboxes are still on-premises

When set to authoritative, Exchange Online treats all recipients in that domain as local. If a mailbox is on-premises, the email is rejected because Exchange Online cannot find it in its directory.

Change the domain type to internal relay so that Exchange Online forwards messages to the on-premises server for such recipients.

Using external relay for domains that are actually authoritative

External relay tells Exchange Online to forward all emails for that domain to an external server, even for users with mailboxes in the cloud. Those users will not receive their emails.

Identify which mailboxes belong to your organization and set the domain type accordingly. Use authoritative for fully cloud-hosted mailboxes.

Forgetting to verify domain ownership before using it for email

Microsoft 365 will not accept emails for an unverified domain, and you cannot add it as an accepted domain until verified.

Complete the domain verification DNS TXT record process before attempting to configure email routing.

Configuring an accepted domain with the wrong DNS records for verification

Using an MX record alone is not sufficient for domain verification; Microsoft requires a TXT record with a specific verification string. An MX record only proves you can receive email, not ownership.

Use the TXT record provided by the Microsoft 365 admin center for domain verification.

Exam Trap — Don't Get Fooled

{"trap":"A question states: 'You have an on-premises Exchange server and Exchange Online in hybrid. You add a new domain as an accepted domain and set it to authoritative. Users with mailboxes on-premises are not receiving emails.

Why?'","why_learners_choose_it":"Learners think authoritative means the domain is fully managed by Microsoft 365, even for on-premises mailboxes. They assume authoritative just means 'trusted.'

","how_to_avoid_it":"Remember: authoritative means Exchange Online will only deliver to mailboxes in the cloud. For hybrid, you must use internal relay so that Exchange Online forwards to on-premises for un-migrated users."

Step-by-Step Breakdown

1

Add the custom domain to the Microsoft 365 tenant

Go to the Microsoft 365 admin center, select 'Domains', then 'Add domain'. Enter your domain name. This step registers the domain in the tenant but does not make it functional for email yet.

2

Verify domain ownership via DNS

Microsoft provides a TXT record with a unique value. You add this record to your domain's DNS zone through your domain registrar. Once the DNS propagates, Microsoft checks the record and if it matches, the domain is verified.

3

Add the domain as an accepted domain in Exchange Online

In the Exchange admin center, go to 'Mail flow', then 'Accepted domains'. Click 'Add' and enter the domain name. This tells Exchange Online that this domain is part of your email system.

4

Choose the correct domain type

Select authoritative if all mailboxes for that domain are in Exchange Online. Select internal relay if some mailboxes remain on-premises. Select external relay if you want to forward emails to an external email system.

5

Configure the domain to be used as the primary SMTP address for users

Create or modify an email address policy to assign the new domain as the primary SMTP address for new or existing users. This ensures that user mailboxes have the correct email address.

6

Test email flow

Send a test email from an external account to a user's new email address. Verify it arrives correctly. Also test sending from the user to an external address. This confirms that both inbound and outbound mail flow are working.

Practical Mini-Lesson

Accepted domains are a fundamental building block of email routing in Microsoft 365, and every IT professional managing Exchange Online must understand them thoroughly. In practice, you will most often encounter authoritative domains for standard cloud-only organizations. When a domain is authoritative, Exchange Online performs directory lookup for every recipient in that domain. If the recipient mailbox exists, the message is delivered; if not, an NDR is sent. This prevents email from being lost.

In hybrid deployments, internal relay is the most critical domain type to understand. When you have a mix of cloud and on-premises mailboxes, the internal relay type allows Exchange Online to query the on-premises directory via the hybrid configuration. It essentially trusts the on-premises server to know about all recipients. If you mistakenly set the domain to authoritative, on-premises mailboxes are invisible to Exchange Online, causing bounces for emails sent to them from the internet.

External relay domains are useful for very specific scenarios, like a company that hosts emails for a subsidiary on a third-party platform. However, external relay is often misused. A common mistake is to set a domain to external relay thinking it will magically forward emails to another service, but without proper connectors and routing, the emails will simply be relayed outside the organization, which can create security risks. Always ensure that external relay is accompanied by a corresponding Send connector pointing to the external email system.

Configuration via PowerShell is a skill you should develop. For example, to create an authoritative accepted domain, you might run: New-AcceptedDomain -Name 'contoso.com' -DomainName 'contoso.com' -DomainType Authoritative. To change it later: Set-AcceptedDomain -Identity 'contoso.com' -DomainType InternalRelay. Understanding these commands is useful for automation and troubleshooting.

What can go wrong? The most common issue is adding a domain to the tenant but forgetting to add it as an accepted domain. Users may have email addresses with the domain assigned via email address policies, but incoming emails will bounce because Exchange Online does not see the domain in its accepted list. Another issue is DNS propagation delays: after adding the TXT record, it can take up to 72 hours for DNS to fully propagate, though it usually takes much less time. Prematurely trying to use the domain before verification can cause failures.

In production, you should document all accepted domains and their types, especially if you have multiple domains. When a new domain is added, update your email address policies, configure any required connectors, and monitor mail flow for the first few days. This ensures a smooth transition and prevents email loss for end users.

Memory Tip

A for Authoritative: all mailboxes in the cloud. I for Internal relay: some mailboxes in the cloud, some on-premises. E for External relay: emails go outside. Remember A-I-E in that order.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between a verified domain and an accepted domain?

A verified domain is one you have proven you own via DNS, but it may not be set up for email. An accepted domain is a verified domain that has been configured in Exchange Online to receive email.

Can I have multiple accepted domains in one tenant?

Yes, you can have up to 900 custom domains in a Microsoft 365 tenant if you have a qualifying subscription, though the limit is typically 300 for many plans.

What happens if I set an accepted domain to authoritative but some mailboxes are still on-premises?

Emails to those on-premises mailboxes will bounce with an NDR because Exchange Online cannot find them in its directory. You must use internal relay for hybrid scenarios.

Is it mandatory to add a domain as an accepted domain before using it in an email address policy?

Yes, the domain must be an accepted domain in Exchange Online before you can assign it to users via email address policies. Otherwise, the policy will fail.

How do I remove an accepted domain?

First, remove any email address policies and user assignments that use the domain. Then, go to Exchange admin center > Mail flow > Accepted domains, select the domain, and remove it. Finally, remove the domain from the Microsoft 365 tenant.

What DNS record is used for domain verification?

A TXT record with a specific verification value provided by Microsoft 365 is used. MX records or other record types are not accepted for verification.

Summary

Accepted domains are the mechanism by which Microsoft 365 recognizes the domains for which it is responsible for email delivery. Without properly configured accepted domains, your organization cannot send or receive emails using custom domain names. There are three types: authoritative for fully cloud-hosted mailboxes, internal relay for hybrid environments where some mailboxes remain on-premises, and external relay for forwarding to third-party email systems.

For the MS-102 exam, understanding how to add, verify, configure, and troubleshoot accepted domains is a key objective. You will encounter scenario-based questions that test your ability to choose the correct domain type based on business requirements, as well as troubleshooting questions where email flow issues stem from an incorrect domain type or a missing accepted domain configuration.

In practice, IT professionals must ensure that every custom domain used for email is added both as a verified domain in the tenant and as an accepted domain in Exchange Online. Domain verification via a DNS TXT record is a prerequisite, and failing to complete this step is a common mistake. During hybrid migrations, changing the domain type from authoritative to internal relay at the appropriate time is essential to prevent email bounces.

Mastering accepted domains not only helps you pass the MS-102 exam but also equips you with the foundational knowledge to manage email flow in real-world Microsoft 365 deployments. Always test email flow after configuration changes and document your domain settings for future reference.