Office 365 DKIM Setup: Enable, Verify, and Configure

DKIM for Office 365 is a specific implementation of the DKIM (DomainKeys Identified Mail) email authentication protocol that can be used to verify the legitimacy of the sender’s domain and ensure that the email content has not been altered during transit. If you enable DKIM, it can significantly help improve your email security and email deliverability. 

Moreover, when combined with DMARC, the DKIM email authentication method improves the chances of your legitimate emails reaching the recipient’s inbox instead of being flagged or rejected by email spam filters.

Let’s learn more about the DKIM for Office 365 setup to improve your domain’s security and email deliverability!

Prerequisites of Office 365 DKIM Setup

Before setting up DKIM for Office 365, make sure you have the following in place:

• Access to the Microsoft 365 admin center with the necessary administrative permissions.
• Ability to update DNS records for your custom domain through your DNS hosting provider.
• A verified custom domain has been added to your Office 365 tenant.

Note: DKIM is automatically enabled by default onmicrosoft.com domains, but you need to manually configure it for any custom domains you use.

How to Set up DKIM for Office 365 for Custom Domains

If you use Office 365 as your email service provider, keep these key points in mind:

• If you use the default onmicrosoft.com domain to send emails, you don’t need to set up DKIM manually.
• For a single custom email domain, Microsoft automatically enables DKIM with 2048-bit keys by default.
• Manual DKIM setup is only needed if you have multiple custom domains registered in Office 365.

The following steps apply specifically to configuring DKIM for these multiple domains.

1. Log into Microsoft Defender Portal

• Login to your Defender account admin center. You can use the link provided here.
• On the portal, navigate and click on Policies & Rules under Email & Collaboration
• On the Policies & Rules page, select Threat Policies

2. Generate DKIM DNS records

• Select DomainKeys Identified Mail (DKIM) to open the DKIM tab
• On the DKIM page, select the domain you want to enable DKIM for (this is the domain you use to send outbound messages)
  

• You can now toggle the Enable button to start the activation process for DKIM. A dialogue box will appear which may contain the following status. Simply click on the Create DKIM keys button to view your keys:

You can also PowerDMARCS DKIM generator to create DKIM records.

3. Copy and add the CNAME records to DNS

A pop-up will display 2 CNAME-type DKIM records—these contain your DKIM public keys needed for email authentication. You will need to:

• Click the blue “Copy” button to copy each CNAME record to your clipboard.
• Add these CNAME records to your domain’s DNS settings through your domain registrar or hosting provider’s control panel:
• Log in to your DNS management console.
• Find the section to add new DNS records.
• Choose CNAME as the record type.
• Paste the copied values exactly as provided into the appropriate fields.
• Save and apply your changes so the records become active and your DKIM setup works properly.

4. Enable DKIM in Defender

After your DNS CNAME records have propagated (this may take some time), return to the Microsoft Defender portal. Locate your custom domain in the DKIM settings and enable DKIM signing to activate email authentication for that domain.

Troubleshooting: DKIM Couldn’t Be Enabled?

If an error persists and DKIM can’t be enabled for your domain on Microsoft’s Defender portal, here are some common reasons:

• DNS records may not have fully propagated yet—this can take up to 48 hours
• There could be typos or syntax errors in your CNAME records, such as extra spaces or incorrect characters
• The DKIM selector might be incorrect or doesn’t match what Microsoft expects

To resolve the issue:

• Use a DKIM record lookup tool to check if your published records are valid and error-free
• Confirm that the DNS changes have fully propagated by waiting or using online DNS propagation checkers
• Double-check your CNAME record syntax and selector values for accuracy
• Contact your DNS hosting provider if the problem persists
• If needed, reach out to Microsoft Support for further assistance

How to Configure DKIM for Office 365 Using Powershell

For advanced users and administrators, Exchange Online PowerShell offers powerful tools to manage and configure email settings, including DKIM. Using PowerShell commands allows you to automate DKIM setup, enable or disable DKIM signing for your custom domains, and troubleshoot issues efficiently, especially useful when managing multiple domains or complex environments.

You can use Powershell to enable your Exchange Online DKIM setup for office 365, especially if you want to enable it for multiple domains. To do so:

1. Connect to Exchange online

2. Extract your Office 365 DKIM selectors by running the following script:

3. Add the CNAME records provided to your by Office 365 to your DNS

4. Run the following command to enable DKIM for the domain:

Setup DKIM for Office 365 the right way with PowerDMARC!

How to Check DKIM Office 365 Records?

It’s important to check your Office 365 DKIM records to make sure your emails are properly protected from spoofing and phishing. You can do so with PowerDMARC. Our advanced email security and authentication platform helps you protect your email communications easily! You can combat Business Email Compromise and gain the full advantage of DKIM once you sign up on our platform.

1. Sign-up with PowerDMARC for Free

Create a free account on PowerDMARC to access the portal

2. Go to Powertoolbox > DKIM Record Lookup

On the left side navigation bar, click on Analysis tools > Powertoolbox > DKIM record lookup

3. Enter Your Domain Name and DKIM Selector

You can manually enter your selector name or keep the “auto” mode turned on to let our technology automatically detect your selector.

4. Click on Lookup to Check Your Record

Once you click on the lookup button, you can check your DKIM for Office 365 record’s validity status and configured tags as shown below:

How to Disable DKIM for Office 365?

You can disable DKIM for Office 365 with a single click in the Defender portal. However, keep in mind that turning off DKIM may weaken your email security, especially in cases like email forwarding where SPF checks can fail. It’s generally best to keep DKIM enabled, as both Microsoft and we strongly recommend this for better email authentication.

To disable DKIM, go to Email & collaboration > Policies & rules > Threat policies > DomainKeys Identified Mail (DKIM). On the DKIM page, simply toggle the “Enable” button off to disable the protocol.

Note: DKIM verification can help you better authenticate messages during special cases like email forwarding where SPF may fail. Keeping DKIM enabled for your domains is considered a good email practice and is highly recommended by both Microsoft, and us.

Final Thoughts

Setting up DKIM correctly is essential for securing your email communications and protecting your domain from spoofing and phishing attacks. Regularly checking and updating your DKIM configuration helps ensure your email authentication stays strong and effective.
To simplify this process and stay on top of your email security, consider using PowerDMARC — a powerful platform that makes managing and monitoring DKIM easy and reliable. Take a free DMARC trial to weigh out your benefits today.

Frequently Asked Questions

How do I ensure that DKIM is enabled for all Exchange Online domains?

To make sure DKIM is enabled for all your Exchange Online domains, check the Microsoft Defender portal under Email & collaboration > Policies & rules > Threat policies > DKIM. Verify that DKIM is turned on for each custom domain.

How to rotate DKIM keys in Office 365?

To rotate DKIM keys in Office 365, you need to generate new CNAME records for the new keys in your DNS and then enable DKIM signing for those new keys in the Microsoft Defender portal. This process helps improve security by periodically updating the cryptographic keys that sign your emails.

How often should you rotate DKIM keys?

It’s recommended to rotate your DKIM keys every 1 to 2 years, or sooner if you suspect your keys have been compromised. Regular rotation helps maintain strong email security and prevents attackers from exploiting old keys.

Other Related Articles

Microsoft Office 365 SPF setup

Microsoft Office 365 DMARC setup

Hope this article was helpful to you! Are you new to email authentication and DMARC? Take a free DMARC trial to weigh out your benefits today.

• About
• Latest Posts

Yunes Tarada

Domain & Email Security Expert at PowerDMARC

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

Latest posts by Yunes Tarada (see all)

• DMARC for Office 365: Step-by-Step Setup & Best Practices - July 11, 2025
• Office 365 DKIM Setup: Enable, Verify, and Configure - July 10, 2025
• SPF Neutral Mechanism (?all) Explained: When and How to Use It - June 23, 2025