An Office 365 DKIM setup is an email authentication protocol that aids in your defense against spoofing, phishing, and BEC attacks. Microsoft recommends a DKIM record to sign your outbound emails digitally so that they don't get tampered with or accessed by threat actors in the process of being transferred. Enabling O365 DKIM is an essential step to ensure your email's security.
Enabling Office 365 DKIM Signing on the Microsoft 365 Defender Portal Using Custom Domain
Note: If you enable DKIM signing through the Microsoft 365 Defender portal for your outbound messages using a custom domain, it automatically switches your DKIM setup from the previous *.onmicrosoft.com domain. Here’s how you can set up a custom domain.
Here are the steps to setup Office 365 DKIM for your custom domain:
Make sure you can spot your custom domain name in the DKIM tab of your Email Authentication Settings page in the Defender portal. Here’s what it should look like:
Login to your Defender account.
On the portal, navigate to Email & collaboration, select Policies & rules
On the Policies & rules page, select Threat policies and choose Email authentication settings
On this page, click on the DKIM tab and select your custom domain for which you wish to enable DKIM signing
A dialog box will appear containing a toggle button named Sign messages for this domain with DKIM signatures which is disabled by default. Try to enable it by clicking.
An error box will appear at this point, informing you that CNAME records are missing for your domain preventing DKIM signing. The error details will further provide the syntax for 2 CNAME records that you need to publish on your DNS. Each of these records will have 2 primary fields: The hostname, and record value. Microsoft provides the following example in their guide:
CNAME Record 1
Hostname: selector1._domainkey
Value: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
CNAME Record 2
Hostname: selector2._domainkey
Value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com
Without closing the last page of your Defender portal, in a new window login to yout DNS management console. Create 2 new CNAME records and paste the value of these records on your DNS.
You can explore step-by-step instructions for how to publish DKIM records for various DNS providers in our knowledge base.
Note: Once your CNAME records are created it may take a few minutes to a few hours for your DNS to propagate the changes. Once the changes are processed it may take some time for Microsoft 365 to detect the changes. Hence allow some time to pass before moving on to the final steps.
Head to the Defender portal wherein you have kept the last page opened and try to toggle the Sign messages for this domain with DKIM signatures to enable it
When the security dialog box appears, click OK
If you have successfully enabled DKIM signing for outbound messages for your custom domain, the final configurations should look something like this:
Steps to Customize DKIM Signing Using *.onmicrosoft.com Domain
While the initial *.onmicrosoft.com is automatically configured to sign your messages with DKIM when you send them out using Microsoft 365, you can customize the configurations. Here’s how:
Instead of your custom domain, make sure your *.onmicrosoft.com domain appears in the DKIM tab of the Email authentication settings page
Login to your Defender account.
On the portal, navigate to Email & collaboration, select Policies & rules
On the Policies & rules page, select Threat policies and choose Email authentication settings
On this page, click on the DKIM tab and select your *.onmicrosoft.com domain for which you wish to customize DKIM signing
In the domain details box, select the blue button for Create DKIM keys
Follow on-page instructions to create your new set of DKIM keys but note that you don’t need to publish the keys since this step is automatically handled by Microsoft.
Close the page and now on the domain details page toggle to enable the Sign messages for this domain with DKIM signatures button.
Click OK and you’re done!
Alternative Method: Enable DKIM Signing Using Exchange Online Powershell
To use Powershell to enable DKIM signing for your outbound messages (both for custom domain and *.onmicrosoft.com domain) follow these steps:
Check your current DKIM configuration by running the following command:
Get-DkimSigningConfig | Format-List Name,Enabled,Status,Selector1CNAME,Selector2CNAME
On running this command if DKIM is missing, the results of the check will display a “false” status against the “Enabled” field and convey CNAME to be missing.
For a custom domain, when you run the command and Microsoft 365 find DKIM configurations missing, an error box is displayed. This box will contain 2 CNAME records for DKIM. You need to copy the value and hostname of the records and create new CNAME records with your domain registrar using these values. Once created, publish the records on your DNS.
Or,
If you wish to enable DKIM signing for outbound messages for your *.onmicrosoft.com domain, run following command while replace the “Domain” field with your *.onmicrosoft.com domain name:
Set-DkimConfig -Identity \<Domain\> -Enabled $true
No error message is displayed for this domain.
Finally, run first command to check DKIM configuration to make sure it’s set up correctly. Now the “Enabled” status should display “True” and the “Status” field should have a “Valid” value.
If you wish to rotate your DKIM keys using Exchange Online Powershell, refer to our detailed guide here.
How to disable DKIM for Office 365?
You can disable DKIM for Office 365 with a single click on the Defender portal.
Simply head to Email & collaboration > Policies & rules > Threat policies > DKIM
On the DKIM page toggle the “Enable” button to disable the protocol.
Note: DKIM verification can help you better authenticate messages during special cases like email forwarding where SPF may fail. Moreover, DKIM is mandatory for Google and Yahoo bulk senders and recommended for all senders. Keeping DKIM enabled for your domains is considered a good email practice and is highly recommended by both Microsoft and us.
Other related articles:
Microsoft Office 365 SPF setup
Microsoft Office 365 DMARC setup
Content Review, Fact-Checking & Sources
All information and images provided in this article have been taken from Microsoft’s DKIM configuration guide. The content has been reviewed and fact-checked by cybersecurity experts to ensure accuracy. We also try to update the article periodically when new changes are made by the service providers.
Hope this article was helpful to you! Are you new to email authentication, DKIM, and DMARC? Take a free DMARC trial to weigh out your benefits today.