Updated 2 May 2022
Updated due to changes in the Microsoft 365 admin section
To access DKIM now, you must:
- Login to the Microsoft 365 Defender Portal (AKA Security & Compliance Center) here: https://security.microsoft.com/
- Click Policies & rules
- Click Threat Policies
- Click DKIM
If you have problems with the setup, visit my article “Problems with Microsoft 365’s (O365) DKIM Setup and Configuration”
UPDATED 25th Sept 2019
Updated due to changes in the Office 365 admin section
Microsoft implemented DKIM signing for outbound emails early in 2015 but the implementation was still a little clunky, requiring knowledge of the DKIM DNS formatting and the liberal application PowerShell commands.
Fortunately, they have improved this and placed it within the grasp of the average user and/or administrator. I’ve outlined the steps below to make this as easy as possible.
1. Enable DKIM on Office 365
Login to Office 365 using an account with administrative rights via http://portal.microsoftonline.com.
Click the menu button in the top left corner (it looks like a telephone dial pad)
Click Admin
Click … Show All to see all the options on the left
On the left you’ll have a menu, at the very bottom will be an option called Admin Centers
Expand this menu and click Exchange, this will open a new window displaying the ‘Exchange Admin Center‘ (if you don’t see it, make sure your browsers popup blocker hasn’t stopped the page from appearing).
On the left-hand menu click Protection
From the new sub menu at the top of the right hand section, click DKIM
Select your domain name from the list and then click Enable‘ on the right-hand side:
2. Determine Your Office 365 Tenancy Domain (AKA your onMicrosoft Domain)
To determine the DNS record you will need to setup for your domain name, you first need to login to your Office 365 account via http://portal.microsoftonline.com. and find out what the temporary domain name Microsoft gave you when you setup your account:
Click the menu button in the top left corner (it looks like a telephone dial pad)
Click Admin
Click … Show All to see all the options on the left
Click Setup to expand this option
Click Domains
You should see a domain that ends in onmicrosoft.com similar to this:
Note down the domain, in my example above mine is bobmckay.onmicrosoft.com.
3. Create CNAME DKIM DNS Records
Login to the panel used to manage your domain names DNS records – this will often be either your domain name registrar such as 123-Reg and GoDaddy or it could be your website hosting account (a cPanel, Plesk or CloudFlare account).
You can retrieve information about your domain names DNS using IntoDNS.co.uk and whois.com.
You need to create two CNAME records (not TXT records), based on the following format:
Host | Value |
---|---|
selector1._domainkey | selector1-bobmckay-com._domainkey.bobmckay.onmicrosoft.com |
selector2._domainkey | selector2-bobmckay-com._domainkey.bobmckay.onmicrosoft.com |
The VALUE part of the DNS record has two key parts:
- Firstly, the value portion of the DNS record you create has my proper domain name in the first section but with the dots replaced with dashes (so bobmckay.com becomes bobmckay-com).
- Next, it has the tenancy domain name we retrieved above in step 2 on the end.
Troubleshooting
If you receive the following error message:
CNAME record does not exist for this config. Please publish the following two CNAME records first.
Strictly speaking this error means either the DNS records haven’t been configured properly or they haven’t had time to propagate but when I forced refreshed the entire page, the error suddenly went away so don’t trust repeatedly clicking the ‘enable’ link!
You can verify your DKIM keys are available here: https://www.mail-tester.com/spf-dkim-check
Hello,
I am actually a Customer Service Agent of Partner Network at the moment.
You are not aware of utterly horrible customer support, that is going on there.
Should you wish to cooperate in order for interesting materials see the word….
Please let me know.
Small proof for you:
Your Organization Partner ID: 2321234
[email protected] – contact email address
I am glad you re-enrolled, Bob: Network Member (Active thru Jun.15.2017)
Have a nice day!
Have you ran into a case in which the domain contains a hyphen example: my-domain.com?
as a result the MX record has additional info added to it.
how to handle this?
Hey Mario,
Never had a problem with hyphens causing a problem in domains in any way at all (SPF, DNS or DKIM) – are sure that is what is causing your issue?
I went vpn free
Thanks for updating. Nothing more to add. However, you can also retrieve information about your domain names DNS using this tool as well https://dnschecker.org/domain-health-checker.php, as it also checks which blacklist services have your A record and MX record IPs in them. Altogether it includes the DNS health test, MX record test, Mail (MX) record blacklist test, domain IP blacklist test, DMARC test, SMTP test for Mail records, and SPF records test.