Submit a ticket My Tickets
Login  Sign up

DKIM setup for office365


In order to DKIM sign your custom domain emails, you will need to complete the following steps:

  1. Sign in to Office 365 using your admin account and choose Admin.

2. Once in the Admin center, expand Admin centers and choose Exchange.

3. Go to protection > dkim


4. Select the domain for which you want to enable DKIM and click on Enable. Repeat this step for each custom domain.



 If you haven't created the relevant CNAME records, you will need to do so as per the instructions below. 

Creating the CNAME records
The CNAME records are used to map an alias name to the true or canonical domain name. In essence when you provision a new domain name in Office 365 you will need to create two CNAME records for it so that it points to your initial domain. Here is an example:


We will use as our initial domain, also called the tenant domain. But we actually own and after we provision it in Office 365 we need to publish the two CNAME records so that points to using the format below.




In our example the CNAME DNS records will look like this:



Host: selector1._domainkey




Host: selector2._domainkey




Please pay close attention to the domainGUID which does not use a full stop "." but a hyphen "-" instead. This is taken from the MX record of your custom domain, in this case,


The CNAME record value syntax will also pop up when you click on Enable DKIM from your Exchange admin center: 



The reason behind the two CNAME records is because Microsoft rotates the two keys for added security.

Enabling DKIM signing
Once you have added the CNAME records (two per domain) DKIM signing can be enabled through the Office 365 admin center. 

For more information, refer to this article.

PowerDMARC is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.