Forum Discussion

midiman's avatar
midiman
Copper Contributor
Jun 16, 2026

mail@mydomain is causing a cert mismatch error in all browsers for Outlook.com

Hello, 

I have created a CNAME for our users in my domain so that they can access webmail. 

For example, it's called mail.mycustomdomain.com, and it is directed to Outlook.com  

But when I try to visit mail.mycustomdomain.com, it shows a security warning and recommends going back. 

I can understand because the SAN name in the certificate presented by Outlook doesn't include my CNAME. 

 

Is there anything I can do as a workaround so our users can enter the CNAME without encountering a Certificate Mismatch Error? 


It is causing repeated calls to the helpdesk, and we would like them to use something simple they can remember. 

 

Thanks 

admin
Azure AD Connect
exchange
microsoft 365
office 365
outlook

3 Replies

  • NikolinoDE's avatar
    NikolinoDE
    Platinum Contributor
    Jun 17, 2026

    No — a CNAME alone cannot resolve the certificate warning when users browse to https://mail.mycustomdomain.com.

    This happens because Microsoft 365 presents a TLS certificate for its own domains (such as *.outlook.com or *.office.com), not for your custom hostname. Since the browser checks the certificate against the exact address the user typed, a mismatch occurs and the warning is expected behavior.

    Recommended solution…

    The standard and supported approach is to use an HTTPS redirect instead of pointing the name directly to Microsoft:

    1. Create an A record for mail.mycustomdomain.com pointing to a small web server or a provider that supports HTTPS redirects.
    2. Ensure that hostname has a valid SSL certificate (for example, via Let’s Encrypt or your DNS/hosting provider).
    3. Configure a permanent redirect (301) or temporary redirect (302) to Microsoft 365:

    https://mail.mycustomdomain.com  →  https://outlook.office.com/owa/

    This way:

    • Users can still use a simple, memorable address
    • The browser sees a valid certificate (no warnings)
    • They are automatically forwarded to Outlook on the web

    Optional alternatives

    • DNS provider forwarding: Some registrars or DNS providers offer HTTPS URL forwarding that handles the certificate for you. If available, this is often the simplest option.
    • Outlook URL: You can also redirect to https://outlook.office.com/mail/, which is the modern Outlook on the web experience.

    Additional note

    You can safely keep your Autodiscover CNAME (for example autodiscover.mycustomdomain.com → autodiscover.outlook.com). This is a supported Microsoft 365 configuration and does not have the same certificate issue.

    Summary

    There is no supported way in Microsoft 365 to make Outlook on the web work directly on a custom hostname like mail.mycustomdomain.com without a certificate mismatch. A redirect is the standard solution and eliminates the browser warning completely while keeping the user experience simple.

     

    My answers are voluntary and without guarantee!

     

    Hope this will help you.

    • midiman's avatar
      midiman
      Copper Contributor
      Jun 17, 2026

      Hi Niko, 

       

      That is what I was thinking.  

      It's just strange that we have had an influx of calls about it, and I wondered if it had been working before, since I couldn't see how. 

       

      I will look into the methods you mentioned to see if I can do anything to help them. 

       

      But for now, I am just telling them to go to outlook.com 

       

      Thanks 

      Midi 

       

       

       

       

       

      • NikolinoDE's avatar
        NikolinoDE
        Platinum Contributor
        Jun 17, 2026

        It's entirely possible that mail.mycustomdomain.com worked at some point in the past — perhaps because an on-premises Exchange server or a reverse proxy was handling the certificate for that hostname, and after a migration the record was inadvertently left as a plain CNAME. That could certainly explain the recent increase in support calls.

        In the meantime, I’d recommend giving users the following address for webmail:

        Rather than directing them to outlook.com, I would suggest using the dedicated Microsoft 365 work/school URL.
        outlook.com is primarily intended for personal consumer accounts (Outlook.com/Hotmail). While Microsoft's sign-in page can sometimes detect a work account and redirect to the Office 365 portal, that behavior isn't guaranteed and can cause confusion — especially for users who also have personal Microsoft accounts.

        A better approach is to provide the proper Exchange Online webmail address:

        • https://outlook.office.com/owa/
          or simply
        • https://outlook.office.com (which will automatically redirect to the correct OWA page)

        This is the documented and supportable URL for Microsoft 365 business and school mailboxes. Users can bookmark it and sign in with their work email address (email address removed for privacy reasons) as usual.

        In short, I’d recommend sharing outlook.office.com as a temporary, reliable link while you explore setting up a proper redirect from mail.mycustomdomain.com.