DKIM Setup for Microsoft 365

DKIM (DomainKeys Identified Mail) helps protect your Microsoft 365 domain from spoofing and phishing by allowing receiving mail servers to verify that emails sent from your domain are authentic.

Microsoft 365 uses CNAME records for DKIM instead of TXT records. These CNAME records point to Microsoft’s DKIM signing service, which automatically signs outgoing emails from your domain once DKIM is enabled.

To configure DKIM, you must:

• add the required DKIM CNAME records to your domain’s DNS
• enable DKIM signing in Microsoft 365

Step 1: Find your DKIM records in Microsoft 365

1. Log in to the Microsoft 365 Defender portal.

2. Go to Email & collaboration → Policies & rules → Threat policies.

3. Select Email authentication settings.

4. Open the DKIM tab.

5. Select the domain you want to configure.

Microsoft 365 will provide two CNAME records that must be added to your DNS.

Example records:

Record 1

Host / Name
selector1._domainkey.yourdomain.com

Type
CNAME

Points to
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Record 2

Host / Name
selector2._domainkey.yourdomain.com

Type
CNAME

Points to
selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

These records allow Microsoft 365 to manage DKIM keys for your domain.

Step 2: Add the DKIM CNAME records to your DNS

Log in to your domain’s DNS provider (such as Cloudflare, GoDaddy, Namecheap, etc.) and create the two CNAME records provided by Microsoft 365.

Example configuration:

Record 1

Host / Name
selector1._domainkey

Type
CNAME

Value
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Record 2

Host / Name
selector2._domainkey

Type
CNAME

Value
selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com

Save both records after adding them.

DNS changes may take some time to propagate across the internet.

Step 3: Enable DKIM signing

After the DNS records are added:

1. Return to Email authentication settings in the Microsoft 365 Defender portal.

2. Open the DKIM tab.

3. Select your domain.

4. Enable Sign messages for this domain with DKIM signatures.

Once enabled, Microsoft 365 will begin signing outgoing emails with DKIM.

Step 4: Verify DKIM status

After enabling DKIM, confirm that the status shows that DKIM signing is active for the domain.

If the DNS records have propagated correctly, Microsoft 365 will display that DKIM is enabled for the selected domain.

Additional recommendations

Configure SPF and DMARC

For stronger email authentication and protection, it is recommended to configure SPF and DMARC along with DKIM.

Configure DKIM for sending domains

If you send emails from multiple domains or subdomains, each sending domain should have DKIM configured separately.