An administrator adds the custom domain 'contoso.com' to a new Microsoft 365 tenant and needs to verify domain ownership. Which type of DNS record must be added to the public DNS zone to complete verification?
A TXT record with a unique verification string from Microsoft is the standard method to prove domain ownership.
Why this answer
To verify domain ownership in Microsoft 365, you must add a TXT record with a specific verification string provided by the Microsoft 365 admin center to the public DNS zone. The TXT record is used because it can store arbitrary text data, which the Microsoft 365 domain verification service queries to confirm that you control the domain. This is the standard method defined in RFC 1035 for domain ownership verification.
Exam trap
The trap here is that candidates often confuse the TXT record used for domain verification with other DNS records like MX or CNAME, which are used for different purposes (mail routing or service aliasing) in Microsoft 365 configuration, but only the TXT record is required for the initial ownership proof.
How to eliminate wrong answers
Option A is wrong because an MX record is used for mail routing (specifying mail exchange servers), not for domain ownership verification; it does not carry the required verification token. Option C is wrong because a CNAME record is used to alias one domain name to another (canonical name mapping), and while it can be used for some Microsoft 365 services like autodiscover, it is not the record type used for initial domain ownership verification. Option D is wrong because 'record' is an incomplete and non-specific DNS record type; the actual required record is a TXT record, and a generic 'record' does not exist in DNS standards.