DKIM (DomainKeys Identified Mail) is an email authentication protocol that can be used with Office 365 to verify the legitimacy of the sender’s domain and ensure that the email content has not been altered during transit. If you enable DKIM Office 365, it can significantly help improve your email security and email deliverability.
DKIM digital signatures are added to outgoing emails, allowing receiving servers to validate the message’s origin and integrity. This signature is created using a private key that is associated with your domain name. When mail servers receive email messages that are signed with DKIM, they verify the public key that is published on DNS to verify the signature. If the signature is valid, the email server can be confident that the message was sent from your domain was genuine and not subject to email spoofing.
Moreover, when combined with DMARC, the DKIM email authentication method improves the chances of your legitimate emails reaching the recipient’s inbox instead of being flagged or rejected by email spam filters.
Let’s learn more about how to setup DKIM Office 365 to improve your domain’s security and email deliverability!
Why Should I Setup DKIM Office 365 Records?
There are several reasons why you should setup Office 365 DKIM record for a custom domain if you use Microsoft’s email services:
- To protect your domain from spoofing and phishing attacks. Spoofing is when an unauthorized sender uses your domain name to send emails. Phishing is when an unauthorized sender sends emails that appear to be from a legitimate source such as your bank or credit card company. DKIM can help to prevent these attacks by verifying the sender of your outbound emails.
- To improve the deliverability of your emails. Some email servers will reject emails that are not DKIM-authenticated. By configuring DKIM for Office 365, you can improve the chances that your emails will be delivered to their intended recipients.
- To comply with industry regulations. Some industries, such as financial services and healthcare, have regulations that require the use of DKIM. By configuring DKIM in Office 365, you can help to ensure that your organization is compliant with these regulations.
- Bulk senders sending emails to Google and Yahoo inboxes need DKIM. If you don’t have SPF enabled, even users sending less than 5000 mails per day will need to configure DKIM.
Setting up O365 DKIM for Custom Domains
Note: The DKIM Office 365 configuration was previously carried out using the O365 Exchange Online portal. However, with underway improvements pertaining to Microsoft’s security processes, the Office 365 DKIM configuration process has been up and moved to the Microsoft 365 Defender portal.
There are a few key considerations if you use Office 365 as your email service providers. Please note that if you use default.onmicrosoft.com domain to send your emails or a single custom email domain, you don’t need to manually set up DKIM Office 365 as Microsoft will enable DKIM signing your emails with 2048-bit DKIM keys by default. It is only when you have multiple domains registered on Office 365 is when you can use the steps below to configure Office 365 DKIM signatures.
1. Log into the Defender Portal
- Login to your Defender account admin center. You can use the link provided above.
- On the portal, navigate and click on policies & RulesunderEmail & Collaboration
- On the policies & Rules page, select Threat Policies
2. Create your DKIM DNS Records
- Now select DomainKeys Identified Mail(DKIM) to open the DKIM tab
- On the DKIM page, select the domain you want to enable DKIM for (this is the domain you use to send outbound messages)
- You can now toggle the Enable button to start the activation process for DKIM. A dialogue box will appear which may contain the following status. Simply click on the Create DKIM keys button to view your keys:
3. Copy the DKIM CNAME Records
- A pop-up will now display 2 CNAME-Typed DKIM records. This is your DKIM public key.
- Click on the blue “Copy” button to copy the CNAME values to your clipboard
How to Publish Office 365 DKIM Records in Your DNS?
- Login to your DNS provider’s management console
- Navigate to the DNS records section
- Create new CNAME records (Record type: CNAME)
- Paste the copied hostnames and values, as provided on the Defender portal
- Keep TTL as 3600
- Save changes to your record to finish the DKIM setup. Wait for 24-48 hours to enable DKIM validation.
Note: The process for publishing DNS records varies depending on which DNS hosting provider you use. The time it takes for DNS propagation activate the records also depends on the same. The processes for a few of the major providers are linked below:
Enabling Microsoft Office 365 DKIM Keys on Your Defender Account
After you are done publishing the records on your DNS, head back to the DKIM page on your Defender portal and toggle the “Enable” option.
DKIM Couldn’t Be Enabled: CNAME Records Were Not Found
If an error persists and DKIM can’t be enabled for your domain on Microsoft’s Defender portal, follow these steps:
- Lookup your published DKIM record using our DKIM record lookup tool to see if it is valid and error-free
- Your DNS might be taking some time to save changes. Wait for at least 48 hours before verifying your setup.
- Cross-check your DKIM record’s syntax to ensure there are no inconsistencies like redundant spaces or special characters
- Get in touch with your DNS hosting provider to discuss the issue
- Get in touch with Microsoft’s support team to seek advice on the same
How to Configure Office 365 DKIM Using Powershell?
You can use Powershell to enable your Exchange Online DKIM setup for office 365, especially if you want to enable it for multiple domains. To do so:
1. Connect to Exchange online
2. Extract your Office 365 DKIM selectors by running the following script:
3. Add the CNAME records provided to your by Office 365 to your DNS
4. Run the following command to enable DKIM for the domain:
How to Check DKIM Office 365 Records?
You can check your Office 365 DKIM record with PowerDMARC. PowerDMARC’s advanced email security and authentication platform helps you protect your email communications easily! You can combat Business Email Compromise, and gain full advantage of DKIM once you sign up on our platform.
1. Sign-up with PowerDMARC for Free
Create a free account on PowerDMARC to access the portal
2. Go to Powertoolbox > DKIM Record Lookup
On the left side navigation bar, click on Analysis tools > Powertoolbox > DKIM record lookup
3. Enter Your Domain Name and DKIM Selector
You can manually enter your selector name or keep the “auto” mode turned on to let our technology automatically detect your selector.
4. Click on Lookup to Check Your Record
Once you click on the lookup button, you can check your office 365 DKIM record’s validity status and configured tags as shown below:
How to Disable DKIM for Office 365?
You can disable DKIM for Office 365 with a single click on the Defender portal.
Simply head to Email & collaboration > Policies & rules > Threat policies > DomainKeys Identified Mail(DKIM)
On the DKIM page toggle the “Enable” button to disable the protocol.
Note: DKIM verification can help you better authenticate messages during special cases like email forwarding where SPF may fail. Keeping DKIM enabled for your domains is considered a good email practice and is highly recommended by both Microsoft, and us.
Other Related Articles
Microsoft Office 365 SPF setup
Microsoft Office 365 DMARC setup
Hope this article was helpful to you! Are you new to email authentication and DMARC? Take a free DMARC trial to weigh out your benefits today.
- Common Mark Certificates (CMC) for Google BIMI Adoption - September 25, 2024
- BIMI Setup Guide for Zoho Mail – Getting the Blue Verified Checkmark - September 6, 2024
- Setting up SPF Records for Gmail and Google Workspace - August 29, 2024