Setting Up DomainKeys (DKIM) in Office 365 Hosted Email

Setting Up DomainKeys (DKIM) in Office 365 Hosted Email

Updated 2 May 2022
Updated due to changes in the Microsoft 365 admin section

To access DKIM now, you must:

  • Login to the Microsoft 365 Defender Portal (AKA Security & Compliance Center) here: https://security.microsoft.com/
  • Click Policies & rules
  • Click Threat Policies
  • Click DKIM

If you have problems with the setup, visit my article “Problems with Microsoft 365’s (O365) DKIM Setup and Configuration” 

UPDATED 25th Sept 2019
Updated due to changes in the Office 365 admin section

Microsoft implemented DKIM signing for outbound emails early in 2015 but the implementation was still a little clunky, requiring knowledge of the DKIM DNS formatting and the liberal application PowerShell commands.

Fortunately, they have improved this and placed it within the grasp of the average user and/or administrator.  I’ve outlined the steps below to make this as easy as possible.

1. Enable DKIM on Office 365

Login to Office 365 using an account with administrative rights via http://portal.microsoftonline.com.

Click the menu button in the top left corner (it looks like a telephone dial pad)

Click Admin

Click … Show All to see all the options on the left

On the left you’ll have a menu, at the very bottom will be an option called Admin Centers

Expand this menu and click Exchange, this will open a new window displaying the ‘Exchange Admin Center‘ (if you don’t see it, make sure your browsers popup blocker hasn’t stopped the page from appearing).

On the left-hand menu click Protection

From the new sub menu at the top of the right hand section, click DKIM

Select your domain name from the list and then click Enable‘ on the right-hand side:

 

 

2. Determine Your Office 365 Tenancy Domain (AKA your onMicrosoft Domain)

To determine the DNS record you will need to setup for your domain name, you first need to login to your Office 365 account via http://portal.microsoftonline.com. and find out what the temporary domain name Microsoft gave you when you setup your account:

Click the menu button in the top left corner (it looks like a telephone dial pad)

Click Admin

Click … Show All to see all the options on the left

Click Setup to expand this option

Click Domains

You should see a domain that ends in onmicrosoft.com similar to this:

Note down the domain, in my example above mine is bobmckay.onmicrosoft.com.

3. Create CNAME DKIM DNS Records

Login to the panel used to manage your domain names DNS records – this will often be either your domain name registrar such as 123-Reg and GoDaddy or it could be your website hosting account (a cPanel, Plesk or CloudFlare account).

You can retrieve information about your domain names DNS using IntoDNS.co.uk and whois.com.

You need to create two CNAME records (not TXT records), based on the following format:

HostValue
selector1._domainkeyselector1-bobmckay-com._domainkey.bobmckay.onmicrosoft.com
selector2._domainkeyselector2-bobmckay-com._domainkey.bobmckay.onmicrosoft.com

The VALUE part of the DNS record has two key parts:

  1. Firstly, the value portion of the DNS record you create has my proper domain name in the first section but with the dots replaced with dashes (so bobmckay.com becomes bobmckay-com).
  2. Next, it has the tenancy domain name we retrieved above in step 2 on the end.

Troubleshooting

If you receive the following error message:

CNAME record does not exist for this config. Please publish the following two CNAME records first.

Strictly speaking this error means either the DNS records haven’t been configured properly or they haven’t had time to propagate but when I forced refreshed the entire page, the error suddenly went away so don’t trust repeatedly clicking the ‘enable’ link!

You can verify your DKIM keys are available here: https://www.mail-tester.com/spf-dkim-check

Bob McKay

About Bob McKay

Bob is a Founder of Seguro Ltd, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Big fan of equality, tolerance and co-existence.

Disclosure Policy

5 comments on «Setting Up DomainKeys (DKIM) in Office 365 Hosted Email»

  1. Hello,

    I am actually a Customer Service Agent of Partner Network at the moment.

    You are not aware of utterly horrible customer support, that is going on there.

    Should you wish to cooperate in order for interesting materials see the word….

    Please let me know.

    Small proof for you:

    Your Organization Partner ID: 2321234

    [email protected] – contact email address

    I am glad you re-enrolled, Bob: Network Member (Active thru Jun.15.2017)

    Have a nice day!

  2. Mario says:

    Have you ran into a case in which the domain contains a hyphen example: my-domain.com?
    as a result the MX record has additional info added to it.

    how to handle this?

    1. Bob McKay says:

      Hey Mario,
      Never had a problem with hyphens causing a problem in domains in any way at all (SPF, DNS or DKIM) – are sure that is what is causing your issue?

  3. koroshkokabi says:

    I went vpn free

  4. Adam says:

    Thanks for updating. Nothing more to add. However, you can also retrieve information about your domain names DNS using this tool as well https://dnschecker.org/domain-health-checker.php, as it also checks which blacklist services have your A record and MX record IPs in them. Altogether it includes the DNS health test, MX record test, Mail (MX) record blacklist test, domain IP blacklist test, DMARC test, SMTP test for Mail records, and SPF records test.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.