DKIM Office 365 Setup: Configure Signing for Microsoft 365

If you are sending email through Microsoft 365 and have not configured DKIM for your custom domain, your emails are going out without a digital signature. That means receiving servers have no way to verify that your messages have not been altered in transit, and your domain is more vulnerable to spoofing.

Setting up DKIM for Office 365 is one of the most important steps in building a secure, trustworthy email setup.

This guide walks you through everything: what DKIM does, how Microsoft 365 handles it, and exactly how to configure it for your custom domain.

What Is DKIM and Why Does It Matter for Microsoft 365?

Before walking through the setup process, it is worth understanding what DKIM does and why it is a critical part of your Microsoft 365 email configuration.

DomainKeys Identified Mail (DKIM) is an email authentication protocol that adds a cryptographic digital signature to each outgoing email. When a message is sent, the signing domain uses a private key to generate the signature.

The receiving server then retrieves the corresponding public key from DNS and uses it to verify that the message body and headers have not been altered in transit.

What DKIM does for your email

Where DKIM fits alongside SPF and DMARC

DKIM works in conjunction with SPF and DMARC to form a complete email authentication framework. Each protocol covers a different layer:

• SPF verifies that the sending server is authorized to send email for your domain
• DKIM verifies that the message content was not altered in transit
• DMARC enforces policy by requiring SPF and DKIM to align with the From address

DKIM, SPF, and DMARC Comparison

For DKIM to pass DMARC checks, the domain in the From address must match the domain used in the DKIM signature. This alignment requirement is what makes the combination of SPF, DKIM, and DMARC so effective against phishing attacks and spoofing.

DKIM alone is not sufficient to prevent all types of email spoofing. It must be used alongside SPF and DMARC for complete protection. We will cover how to implement DMARC alongside your Microsoft 365 DKIM setup later in this guide.

How Microsoft 365 Handles DKIM

Microsoft 365 manages DKIM differently depending on whether you use the default onmicrosoft.com domain or a custom domain. Understanding this distinction prevents confusion during setup.

What Microsoft handles automatically

Microsoft automatically enables DKIM signing for the initial onmicrosoft.com domain associated with your Microsoft 365 tenant. If you are only sending from yourcompany.onmicrosoft.com, DKIM is already working without any manual configuration.

What requires manual setup

Manual DKIM configuration is required for every custom domain you use to send email.

If your organization sends from a custom domain such as yourcompany.com, you need to create CNAME records in your DNS and enable DKIM signing through the Microsoft Defender portal.

Each subdomain used to send email from Microsoft 365 also requires its own DKIM configuration. DKIM does not automatically extend from a root domain to its subdomains.

The two-selector system

Microsoft 365 uses two DKIM selectors, selector1 and selector2, for each custom domain.

Using two selectors allows Microsoft to rotate DKIM keys automatically for better security. When you set up DKIM, you create CNAME records for both selectors pointing to the public keys generated by Microsoft 365.

Prerequisites for DKIM Setup in Office 365

Before starting the DKIM setup process, confirm that the following are in place.

If SPF is not yet configured for your domain, set that up first. For step-by-step instructions, see our guide on how to set up SPF.

Step-by-Step Guide: DKIM Setup for Office 365

Setting up DKIM for a custom domain in Microsoft 365 involves three main actions: retrieving your CNAME record values from the Microsoft Defender portal, publishing those records in your DNS, and enabling DKIM signing once the records are detected.

The process requires accuracy at every step. Typos in your CNAME values are the most common reason DKIM setup fails, so take your time with the DNS configuration.

Step 1: Get your DKIM CNAME record values from Microsoft 365

Microsoft 365 generates the exact CNAME record values you need to publish in your DNS. To find them:

1. Sign in to the Microsoft Defender portal
2. Navigate to Email and Collaboration > Policies and Rules > Threat policies
3. Select Email Authentication Settings
4. Click the DKIM tab
5. Select your custom domain from the list
6. Open the details flyout for that domain

The portal will display the two CNAME record values you need. If DKIM cannot be enabled yet, the portal will indicate the required values to use in the CNAME records.

The basic syntax of the DKIM CNAME records for custom domains follows this format:

Always use the exact values shown in the Defender portal for your specific domain and tenant, not a generic template.

PowerDMARC automatically generates and validates DKIM records for Office 365, eliminating manual errors and ensuring proper configuration from the start. Use our free DKIM record checker to verify your records instantly.

Step 2: Create the CNAME records in your DNS

Log in to your domain registrar or DNS hosting provider and create two new CNAME records using the values from the previous step.

Key things to confirm when adding the records:

• Record type must be set to CNAME, not TXT or any other type
• Host name values must include the full selector prefix: selector1._domainkey and selector2._domainkey
• Check carefully for typos in the CNAME values. Errors at the domain registrar are the most common cause of DKIM setup failures
• Do not add multiple conflicting records for the same host name

DNS changes can take up to 48 hours to propagate globally, though they often happen much faster. It may take several minutes to a few hours for Microsoft 365 to detect the new CNAME records.

Step 3: Enable DKIM signing in the Microsoft Defender portal

Once your CNAME records are published and propagated, return to the DKIM tab in the Microsoft Defender portal:

1. Select your custom domain
2. Open the details flyout
3. Toggle Sign messages for this domain with DKIM signatures to enabled

The status of the domain on the DKIM tab must show valid values for DKIM signing to be enabled. If the portal cannot detect your CNAME records, it will display an error along with the expected values. Double-check your DNS records for accuracy before trying again.

After enabling DKIM, it may take some time for the status to update and confirm that DKIM signatures are being applied to outgoing messages.

Step 4: Verify DKIM is working

To confirm DKIM signing is active, send a test email from your custom domain to a Gmail address and inspect the message header:

1. Open the received email in Gmail
2. Click the three-dot menu and select Show original
3. Look for the DKIM-Signature header field in the raw message header
4. Confirm the DKIM signature is present and that the d= value matches your custom domain
5. The s= value in the DKIM-Signature header identifies the selector currently in use

You can also use PowerDMARC’s DMARC monitoring tools to verify DKIM alignment across all your sending sources in one dashboard.

A passing DKIM result in the message header confirms that DKIM signing is active and working correctly for your custom domain.

How to Configure DKIM Using PowerShell

Exchange Online PowerShell provides command-line tools to automate DKIM setup, enable or disable DKIM signing for your custom domains, and troubleshoot issues. This approach is particularly useful when managing multiple domains or complex environments.

To enable DKIM via PowerShell:

1. Connect to Exchange Online

2. Extract your Office 365 DKIM selectors by running the following script:

3. Add the CNAME records provided to your by Office 365 to your DNS

4. Run the following command to enable DKIM for the domain:

Common PowerShell Troubleshooting Commands

• Check DKIM status: Get-DkimSigningConfig -Identity “yourdomain.com”
• Disable DKIM: Set-DkimSigningConfig -Identity “yourdomain.com” -Enabled $false
• Bulk enable for multiple domains: Get-AcceptedDomain | ForEach {Set-DkimSigningConfig -Identity $_.Name -Enabled $true}
• View DKIM selectors: Get-DkimSigningConfig | Select Identity,Selector1CNAME,Selector2CNAME

How to Check DKIM Record Status in Office 365

After setting up DKIM, verify that your configuration is working correctly. Here are multiple methods to check your DKIM record status:

Method 1: Microsoft Defender Portal

1. Navigate to the Microsoft Defender portal
2. Go to Email & Collaboration > Policies & Rules > Threat policies > DKIM
3. Check the status column for your domain – it should show “Enabled” with green checkmarks

Method 2: Online DKIM Checkers

Use PowerDMARC’s free DKIM record lookup tool to validate your DKIM records instantly. Enter your domain and selector (selector1 or selector2) to confirm proper publication and validity.

Method 3: Email Header Analysis

Send a test email and examine the headers:

• Look for “DKIM-Signature:” in the email headers
• Check that the “d=” parameter matches your domain
• Verify “Authentication-Results:” shows “dkim=pass”

Common DKIM Validation Issues

• DNS propagation delays: Wait 24-48 hours for global propagation
• Incorrect CNAME values: Double-check the exact values from Microsoft Defender portal
• Multiple DNS records: Ensure no conflicting DKIM records exist
• TTL settings: Lower TTL values speed up propagation during testing

DKIM Setup Limitations and Common Issues

DKIM is a powerful email authentication protocol, but it comes with technical constraints that are important to understand before and during implementation.

Knowing these limitations upfront helps you avoid common pitfalls, plan your configuration correctly, and set realistic expectations for what DKIM can and cannot protect against on its own.

Common DKIM Setup Errors Checklist

✓ Verify CNAME record syntax is exactly as shown in Microsoft Defender portal

✓ Ensure no typos in selector names (selector1._domainkey, selector2._domainkey)

✓ Check that DNS record type is set to CNAME, not TXT

✓ Confirm domain is verified in Microsoft 365 before enabling DKIM

✓ Wait for DNS propagation (up to 48 hours) before troubleshooting

✓ Remove any conflicting or duplicate DKIM records

DKIM limitations

Understanding where DKIM falls short is just as important as knowing what it does. These limitations are precisely why DKIM should always be implemented alongside SPF and DMARC rather than treated as a standalone solution.

Email forwarding

DKIM signatures can break during email forwarding. When a message is forwarded, some mail servers modify the message header or body in ways that invalidate the original DKIM signature.

This is one of the key reasons DMARC requires alignment across both SPF and DKIM rather than relying on either one alone.

Message modification

Any modification to the email content after it has been signed will invalidate the DKIM signature. This includes changes made by mailing lists, email gateways, or content filtering tools that alter the message body or certain header fields before delivery.

Third-party sending services

External email services that send on your behalf, such as marketing platforms, CRMs, and helpdesk tools, may require additional DKIM configuration.

Each third-party sender typically needs to sign outgoing messages with either your domain or their own, and this needs to be verified and accounted for in your overall email authentication setup.

Hybrid environments

Organizations running a combination of on-premises Exchange and Microsoft 365 in a hybrid environment may need special consideration when configuring DKIM signing.

Messages routed through on-premises servers before reaching Microsoft 365 can behave differently than cloud-only sending, and DKIM configuration should account for the full message flow before enabling signing.

Solution: Switch to PowerDMARC

Enabling DKIM signing for your Microsoft 365 custom domain is a critical step in securing your email. But DKIM alone only covers part of the picture.

Without DMARC in place to enforce alignment and provide visibility into your email traffic, your domain remains exposed to spoofing and impersonation that DKIM cannot stop on its own.

PowerDMARC makes it straightforward to go from DKIM setup to full DMARC enforcement. Withhosted DMARC, automated reporting, and a platform built to simplify every stage of email authentication, PowerDMARC gives you complete visibility into who is sending on your behalf and the tools to lock down your domain for good.

Take a free DMARC trial to weigh out your benefits today.

FAQs

1. How do I ensure that DKIM is enabled for all Exchange Online domains?

To make sure DKIM is enabled for all your Exchange Online domains, check the Microsoft Defender portal under Email & collaboration > Policies & rules > Threat policies > DKIM. Verify that DKIM is turned on for each custom domain.

2. How to rotate DKIM keys in Office 365?

To rotate DKIM keys in Office 365, you need to generate new CNAME records for the new keys in your DNS and then enable DKIM signing for those new keys in the Microsoft Defender portal. This process helps improve security by periodically updating the cryptographic keys that sign your emails.

3. How often should you rotate DKIM keys?

It’s recommended to rotate your DKIM keys every 1 to 2 years, or sooner if you suspect your keys have been compromised. Regular rotation helps maintain strong email security and prevents attackers from exploiting old keys.

4. What is the recommended key length for DKIM records?

Microsoft Office 365 uses 2048-bit DKIM keys by default, which provides strong security and is considered the current industry standard. This key length offers excellent protection against cryptographic attacks while maintaining good performance.

5. How do SPF, DKIM, and DMARC work together to protect email?

SPF authorizes sending servers, DKIM verifies message integrity through digital signatures, and DMARC provides policy enforcement by combining SPF and DKIM results. Together, they create a comprehensive email authentication framework that protects against spoofing, phishing, and ensures legitimate emails reach their intended recipients.

6. What should I do if DKIM signatures are not appearing in my outbound emails?

If DKIM signatures are not appearing in your outbound emails, check that DKIM is enabled on your sending service and that the correct DKIM public key is published in your DNS. Also, confirm that the selector matches and that DNS changes have fully propagated. If the issue continues, review your email server settings or contact your email provider.

7. Why is my DKIM record not validating in Office 365?

Common causes include DNS propagation delays, incorrect CNAME values, typos in selector names, or conflicting DNS records. Wait 24-48 hours for propagation, verify the exact CNAME values from Microsoft Defender portal, and ensure no duplicate records exist.

8. Can I use DKIM without SPF or DMARC in Office 365?

While DKIM can function independently, it’s not recommended. DKIM alone cannot prevent domain spoofing effectively. For complete email authentication and protection, you need all three protocols (SPF, DKIM, and DMARC) working together.

9. How do I update DKIM keys for multiple domains in Office 365?

Use PowerShell for bulk operations: Get-AcceptedDomain | ForEach {Set-DkimSigningConfig -Identity $_.Name -Enabled $false; Set-DkimSigningConfig -Identity $_.Name -Enabled $true}. This disables and re-enables DKIM for all domains, forcing key regeneration.

• About
• Latest Posts

Yunes Tarada

Domain & Email Security Expert at PowerDMARC

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

Latest posts by Yunes Tarada (see all)

• compauth=fail: Microsoft Composite Authentication Explained - June 1, 2026
• Is Windows Defender Enough for Small Business Security? - May 14, 2026
• DMARCbis Explained – What’s Changing and How to Prepare - April 16, 2026