How to Setup Microsoft Office 365 DKIM record?

DKIM (DomainKeys Identified Mail) is an email authentication method that can be used with Office 365 to verify the legitimacy of the sender’s domain and ensures that the email content has not been altered during transit. 

DKIM digital signatures are added to outgoing emails, allowing receiving servers to validate the message’s origin and integrity. This signature is created using a private key that is associated with your domain name. When an email server receives an email message that is signed with DKIM, it can use the public key that is published in your domain’s DNS records to verify the signature. If the signature is valid, the email server can be confident that the message was sent from your domain and is not a spoofed email.

Moreover, when combined with DMARC, DKIM improves the chances of your legitimate emails reaching the recipient’s inbox instead of being marked as spam or rejected by email filters.

Why should I configure DKIM Office 365?

There are several reasons why you should configure DKIM for Office 365:

• To protect your domain from spoofing and phishing attacks. Spoofing is when an unauthorized sender uses your domain name to send emails. Phishing is when an unauthorized sender sends emails that appear to be from a  legitimate source such as your bank or credit card company. DKIM can help to prevent these attacks by verifying the sender of an email message.
• To improve the deliverability of your emails. Some email servers will reject emails that are not DKIM-authenticated. By configuring DKIM for Office 365, you can improve the chances that your emails will be delivered to their intended recipients.
• To comply with industry regulations. Some industries, such as financial services and healthcare, have regulations that require the use of DKIM. By configuring DKIM in Office 365, you can help to ensure that your organization is compliant with these regulations.

Setting up DKIM in Office 365

Note: The DKIM Office 365 configuration was previously carried out using the O365 Exchange Online portal. However, with underway improvements pertaining to Microsoft’s security processes, the Office 365 DKIM configuration process has been up and moved to the Microsoft 365 Defender portal. 

Please note that if you use default.onmicrosoft.com to send your emails or a single custom domain, you don’t need to manually set up DKIM Office 365 as Microsoft will sign your emails with 2048-bit DKIM keys by default. It is only when you have multiple domains registered on Office 365 is when you can use the steps below to configure Office 365 DKIM signatures. 

1. Log into Defender Portal

• Login to your Defender account. You can use the link provided above. 
• On the portal, navigate and click on Policies & Rules under Email & Collaboration
• On the Policies & Rules page, select Threat Policies

2. Create your DKIM keys 

• Now select DomainKeys Identified Mail(DKIM) to open the DKIM page
• On the DKIM page, select the domain you want to enable DKIM for (this is the domain you use to send outbound messages)

• You can now toggle the Enable button to start the activation process for DKIM. A dialogue box will appear which may contain the following status. Simply click on the Create DKIM keys button to view your keys:

3. Copy the DKIM CNAME records

• A pop-up will now display your DKIM CNAME records
• Click on the blue “Copy” button to copy records to your clipboard

How to publish Office 365 DKIM records in Your DNS?

1. Login to your DNS provider’s management console
2. Navigate to the DNS records section 
3. Create new CNAME records (Record type: CNAME)
4. Paste the copied hostnames and values, as provided on the Defender portal
5. Keep TTL as 3600
6. Save changes to your record and wait for 24-48 hours for your DNS to process these changes 

Note: The process for publishing DNS records varies depending on which DNS hosting provider you use. The time it takes to activate the records also depends on the same. The processes for a few of the major providers are linked below: 

• GoDaddy
• Amazon Web Services(AWS) 
• Cloudflare
• cPanel

Enabling Microsoft Office 365 DKIM keys on your Defender account

After you are done publishing the records on your DNS, head back to the DKIM page on your Defender portal and toggle the “Enable” option.

DKIM couldn’t be enabled: CNAME records were not found

If an error persists and DKIM couldn’t be enabled for your domain on Microsoft’s Defender portal, follow these steps: 

• Lookup your published DKIM record using our DKIM record lookup tool to see if it is valid and error-free
• Your DNS might be taking some time to save changes. Wait for at least 48 hours before verifying your setup. 
• Cross-check your DKIM record’s syntax to ensure there are no inconsistencies like redundant spaces or special characters 
• Get in touch with your DNS hosting provider to discuss the issue 
• Get in touch with Microsoft’s support team to seek advice on the same 

How to Configure Office 365 DKIM using Powershell? 

You can use Powershell to create and setup DKIM for office 365 domains using Powershell, especially if you want to enable it for multiple domains. To do so: 

1. Connect to Exchange online

2. Extract your Office 365 DKIM selectors by running the following script:

3. Add the CNAME records provided to your by Office 365 to your DNS

4. Run the following command to enable DKIM for the domain: 

How to check DKIM Office 365 records?

You can check your Office 365 DKIM record with PowerDMARC. 

1. Sign-up with PowerDMARC for free 

Create a free account on PowerDMARC to access the portal

2. Go to Powertoolbox > DKIM record lookup 

On the left side navigation bar, click on Analysis tools > Powertoolbox > DKIM record lookup

3. Enter your domain name and DKIM selector 

You can manually enter your selector name or keep the “auto” mode turned on to let our technology automatically detect your selector. 

4. Click on Lookup to check your record

Once you click on the lookup button, you can check your office 365 DKIM record’s validity status and configured tags as shown below:

How to disable DKIM for Office 365?

You can disable DKIM for Office 365 with a single click on the Defender portal.

Simply head to Email & collaboration > Policies & rules > Threat policies > DomainKeys Identified Mail(DKIM) 

On the DKIM page toggle the “Enable” button to disable the protocol. 

Note: DKIM verification can help you better authenticate messages during special cases like email forwarding where SPF may fail. Keeping DKIM enabled for your domains is considered a good email practice and is highly recommended by both Microsoft, and us.

Other related articles

Microsoft Office 365 SPF setup 

Microsoft Office 365 DMARC setup

Hope this article was helpful to you! Are you new to email authentication and DMARC? Take a free DMARC trial to weigh out your benefits today.

• About
• Latest Posts

Yunes Tarada

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

Latest posts by Yunes Tarada (see all)

• How to Setup DMARC in Office 365? Step-by-Step Guide - May 6, 2024
• SMTP Yahoo Error Codes Explained - May 1, 2024
• SPF Softfail Vs Hardfail: What’s the Difference? - April 26, 2024