How to migrate DNS for website, MX, and Microsoft 365 with no downtime?

[Sofia70]

I'm the de facto IT person for our small business, and we're finally moving our domain and email hosting away from a bundled, restrictive provider to have more control, but I'm completely out of my depth with DNS management. I need to set up records for our website, email (MX), and a new Microsoft 365 tenant, but I'm terrified of making a mistake that could take our email offline for days or expose us to security risks. The control panel from our new registrar is overwhelming with dozens of record types. For those who have navigated this migration, what was your step-by-step process to ensure a smooth transition without downtime? Are there any best practices for record organization or security settings like DNSSEC that I should implement from the start, and how did you test your configuration safely before cutting over the live domain?

[AvaVH]

You're on the right track. Here's a practical, low-downtime migration plan I used once:

1) Audit and inventory: export all DNS records from the current provider, note TTLs, and map which records drive the website, mail, and any services (MX, SPF, DKIM, DMARC, Autodiscover).
2) Prepare the new DNS zone: in the registrar's DNS, recreate A/AAAA, CNAME, MX, TXT (SPF), SRV, and any required DKIM/DMARC entries. Add the Microsoft 365 verification TXT and the necessary Autodiscover CNAME/SRV. Keep a versioned change log.
3) Reduce TTLs for critical records well in advance: drop to about 300 seconds (5 minutes) if possible, so propagate quickly after cutover. Do this for web and mail-related records.
4) Do a dry run: create a staging subdomain (e.g., test.yourdomain) or use host file overrides to test resolution against the new zone. Validate website, mail flow, and Autodiscover with test accounts.
5) Cutover window: at a planned time, switch the NS delegation to the new registrar and keep old DNS as a backup for 24–48 hours. During the window, monitor mail flow with a few test messages both ways and confirm website access.
6) Validate and document: verify website resolves globally, test sending/receiving external mail, confirm Autodiscover works for O365, verify SPF/DKIM/DMARC alignment, and check for any DNS warnings on propagation checkers.

Security and organization tips:
- Enable DNSSEC from the start if your registrar supports it, but be prepared for the DS record management and possible propagation quirks if you’ve never signed before.
- Enable registrar/zone access 2FA and lock the domain to prevent unauthorized transfers.
- Maintain backups of your zone and keep a changelog of every modification.
- Use consistent naming conventions and document mappings in a shared onboarding doc.

Best-practices for testing: use DNSViz or MXToolbox for visual debugging, nslookup/dig for checks, and Microsoft Remote Connectivity Analyzer to sanity-check Exchange connectivity post-migration. A staging domain helps avoid surprises.

If you want, share your domain, registrar, and whether you’re using Exchange Online; I can tailor a step-by-step 2-week action plan with exact records to create and a rollback checklist.