How to Setup DKIM For Office 365

DKIM for Office 365 is a specific implementation of the DKIM (DomainKeys Identified Mail) email authentication protocol that can be used to verify the legitimacy of the sender’s domain and ensure that the email content has not been altered during transit. If you enable DKIM, it can significantly help improve your email security and email deliverability. 

Moreover, when combined with DMARC, the DKIM email authentication method improves the chances of your legitimate emails reaching the recipient’s inbox instead of being flagged or rejected by email spam filters.

Let’s learn more about how to set up DKIM for Office 365 to improve your domain’s security and email deliverability! 

How to Set up DKIM for Office 365 for Custom Domains

Note: The DKIM for Office 365 configuration was previously carried out using the O365 Exchange Online portal. However, with underway improvements pertaining to Microsoft’s security processes, the Office 365 DKIM configuration process has been up and moved to the Microsoft 365 Defender portal.

There are a few key considerations if you use Office 365 as your email service providers. Please note that if you use the default.onmicrosoft.com domain to send your emails or a single custom email domain, you don’t need to manually set up DKIM Office 365 as Microsoft will enable DKIM signing your emails with 2048-bit DKIM keys by default. It is only when you have multiple domains registered on Office 365 is when you can use the steps below to configure DKIM signatures.

1. Log into the Defender Portal

• Login to your Defender account admin center. You can use the link provided here.
• On the portal, navigate and click on Policies & Rules under Email & Collaboration
• On the Policies & Rules page, select Threat Policies

2. Create your DKIM DNS Records

• Now select DomainKeys Identified Mail (DKIM) to open the DKIM tab
• On the DKIM page, select the domain you want to enable DKIM for (this is the domain you use to send outbound messages)
  

• You can now toggle the Enable button to start the activation process for DKIM. A dialogue box will appear which may contain the following status. Simply click on the Create DKIM keys button to view your keys:

You can also PowerDMARCS DKIM generator to create DKIM records.

3. Copy the DKIM CNAME Records

• A pop-up will now display 2 CNAME-Typed DKIM records. This is your DKIM public key. 
• Click on the blue “Copy” button to copy the CNAME values to your clipboard

How to Publish Office 365 DKIM Records in Your DNS

• Login to your DNS provider’s management console
• Navigate to the DNS records section
• Create new CNAME records (Record type: CNAME)
• Paste the copied hostnames and values, as provided on the Defender portal
• Keep TTL as 3600
• Save changes to your record to finish setting up DKIM for Office 365. Wait for 24-48 hours to enable DKIM validation.

Note: The process for publishing DNS records varies depending on which DNS hosting provider you use. The time it takes for DNS propagation activate the records also depends on the same. The processes for a few of the major providers are linked below:

• GoDaddy
• Amazon Web Services(AWS)
• Cloudflare
• cPanel

Enabling Microsoft Office 365 DKIM Keys on Your Defender Account

After you are done publishing the records on your DNS, head back to the DKIM page on your Defender portal and toggle the “Enable” option.

DKIM Couldn’t Be Enabled: CNAME Records Were Not Found

If an error persists and DKIM can’t be enabled for your domain on Microsoft’s Defender portal, follow these steps:

• Lookup your published DKIM record using our DKIM record lookup tool to see if it is valid and error-free
• Your DNS might be taking some time to save changes. Wait for at least 48 hours before verifying your setup.
• Cross-check your DKIM record’s syntax to ensure there are no inconsistencies like redundant spaces or special characters
• Get in touch with your DNS hosting provider to discuss the issue
• Get in touch with Microsoft’s support team to seek advice on the same

How to Configure DKIM for Office 365 Using Powershell

You can use Powershell to enable your Exchange Online DKIM setup for office 365, especially if you want to enable it for multiple domains. To do so:

1. Connect to Exchange online

2. Extract your Office 365 DKIM selectors by running the following script:

3. Add the CNAME records provided to your by Office 365 to your DNS

4. Run the following command to enable DKIM for the domain:

Setup DKIM for Office 365 the right way with PowerDMARC!

How to Check DKIM Office 365 Records?

You can check your Office 365 DKIM record with PowerDMARC. PowerDMARC’s advanced email security and authentication platform helps you protect your email communications easily! You can combat Business Email Compromise, and gain full advantage of DKIM once you sign up on our platform. 

1. Sign-up with PowerDMARC for Free

Create a free account on PowerDMARC to access the portal

2. Go to Powertoolbox > DKIM Record Lookup

On the left side navigation bar, click on Analysis tools > Powertoolbox > DKIM record lookup

3. Enter Your Domain Name and DKIM Selector

You can manually enter your selector name or keep the “auto” mode turned on to let our technology automatically detect your selector.

4. Click on Lookup to Check Your Record

Once you click on the lookup button, you can check your DKIM for Office 365 record’s validity status and configured tags as shown below:

Why Should I Setup DKIM Records?

There are several reasons why you should setup Office 365 DKIM records for a custom domain if you use Microsoft’s email services:

• To protect your domain from spoofing and phishing attacks. Spoofing is when an unauthorized sender uses your domain name to send emails. Phishing is when an unauthorized sender sends emails that appear to be from a legitimate source such as your bank or credit card company. DKIM can help to prevent these attacks by verifying the sender of your outbound emails.
• To improve the deliverability of your emails. Some email servers will reject emails that are not DKIM-authenticated. By configuring DKIM for Office 365, you can improve email deliverability and reduce the risk of your emails being marked as spam or ending up on an email blacklist.
• To comply with industry regulations. Some industries, such as financial services and healthcare, have regulations that require the use of DKIM. By configuring DKIM in Office 365, you can help to ensure that your organization is compliant with these regulations.
• Bulk senders sending emails to Google and Yahoo inboxes need DKIM. If you don’t have SPF enabled, even users sending less than 5000 mails per day will need to configure DKIM. 

How to Disable DKIM for Office 365?

You can disable DKIM for Office 365 with a single click on the Defender portal.

Simply head to Email & collaboration > Policies & rules > Threat policies > DomainKeys Identified Mail(DKIM)

On the DKIM page toggle the “Enable” button to disable the protocol.

Note: DKIM verification can help you better authenticate messages during special cases like email forwarding where SPF may fail. Keeping DKIM enabled for your domains is considered a good email practice and is highly recommended by both Microsoft, and us.

Other Related Articles

Microsoft Office 365 SPF setup

Microsoft Office 365 DMARC setup

Hope this article was helpful to you! Are you new to email authentication and DMARC? Take a free DMARC trial to weigh out your benefits today.

• About
• Latest Posts

Yunes Tarada

Domain & Email Security Expert at PowerDMARC

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

Latest posts by Yunes Tarada (see all)

• Bulk Email Sender Rules for Google, Yahoo, Microsoft, and Apple iCloud Mail - April 14, 2025
• Email Salting Attacks: How Hidden Text Bypasses Security - February 26, 2025
• SPF flattening: What is it and why do you need it? - February 26, 2025