Setting Up DomainKeys (DKIM) in Office 365 Hosted Email

Updated 2 May 2022
Updated due to changes in the Microsoft 365 admin section

To access DKIM now, you must:

• Login to the Microsoft 365 Defender Portal (AKA Security & Compliance Center) here: https://security.microsoft.com/
• Click Policies & rules
• Click Threat Policies
• Click DKIM

If you have problems with the setup, visit my article “Problems with Microsoft 365’s (O365) DKIM Setup and Configuration” 

UPDATED 25th Sept 2019
Updated due to changes in the Office 365 admin section

Microsoft implemented DKIM signing for outbound emails early in 2015 but the implementation was still a little clunky, requiring knowledge of the DKIM DNS formatting and the liberal application PowerShell commands.

Fortunately, they have improved this and placed it within the grasp of the average user and/or administrator.  I’ve outlined the steps below to make this as easy as possible.

1. Enable DKIM on Office 365

Login to Office 365 using an account with administrative rights via http://portal.microsoftonline.com.

Click the menu button in the top left corner (it looks like a telephone dial pad)

Click Admin

Click … Show All to see all the options on the left

On the left you’ll have a menu, at the very bottom will be an option called Admin Centers

Expand this menu and click Exchange, this will open a new window displaying the ‘Exchange Admin Center‘ (if you don’t see it, make sure your browsers popup blocker hasn’t stopped the page from appearing).

On the left-hand menu click Protection

From the new sub menu at the top of the right hand section, click DKIM

Select your domain name from the list and then click Enable‘ on the right-hand side:

2. Determine Your Office 365 Tenancy Domain (AKA your onMicrosoft Domain)

To determine the DNS record you will need to setup for your domain name, you first need to login to your Office 365 account via http://portal.microsoftonline.com. and find out what the temporary domain name Microsoft gave you when you setup your account:

Click the menu button in the top left corner (it looks like a telephone dial pad)

Click Admin

Click … Show All to see all the options on the left

Click Setup to expand this option

Click Domains

You should see a domain that ends in onmicrosoft.com similar to this:

Note down the domain, in my example above mine is bobmckay.onmicrosoft.com.

3. Create CNAME DKIM DNS Records

Login to the panel used to manage your domain names DNS records – this will often be either your domain name registrar such as 123-Reg and GoDaddy or it could be your website hosting account (a cPanel, Plesk or CloudFlare account).

You can retrieve information about your domain names DNS using IntoDNS.co.uk and whois.com.

You need to create two CNAME records (not TXT records), based on the following format:

The VALUE part of the DNS record has two key parts:

1. Firstly, the value portion of the DNS record you create has my proper domain name in the first section but with the dots replaced with dashes (so bobmckay.com becomes bobmckay-com).
2. Next, it has the tenancy domain name we retrieved above in step 2 on the end.

Troubleshooting

If you receive the following error message:

CNAME record does not exist for this config. Please publish the following two CNAME records first.

Strictly speaking this error means either the DNS records haven’t been configured properly or they haven’t had time to propagate but when I forced refreshed the entire page, the error suddenly went away so don’t trust repeatedly clicking the ‘enable’ link!

You can verify your DKIM keys are available here: https://www.mail-tester.com/spf-dkim-check