How to Set Up DKIM in Microsoft 365 (Office 365)
Step-by-step guide to configure DKIM signing in Microsoft 365. Learn how to enable DKIM for Office 365, add CNAME records, and verify your setup.
Last updated: 2026-01-28
Microsoft 365 (formerly Office 365) supports DKIM signing out of the box, but it's not enabled by default for custom domains. This guide walks you through enabling DKIM for your Microsoft 365 email, from creating the DNS records to verifying everything works.
Before You Start
You'll need:
- Admin access to your Microsoft 365 tenant
- Access to your domain's DNS settings (GoDaddy, Cloudflare, Namecheap, etc.)
- A custom domain already added and verified in Microsoft 365
Microsoft 365 uses CNAME records for DKIM, not TXT records. This allows Microsoft to manage key rotation automatically without you updating DNS.
How Microsoft 365 DKIM Works
Microsoft uses two selectors for DKIM: selector1 and selector2. These point to Microsoft's servers via CNAME records, and Microsoft handles the actual public keys behind the scenes.
This approach has advantages:
- Microsoft can rotate keys automatically
- You don't need to update DNS when keys change
- Setup is simpler (just two CNAME records)
Step-by-Step Setup
Access the Microsoft 365 Defender portal
Go to security.microsoft.com. Navigate to Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM.
Alternatively, go directly to: https://security.microsoft.com/dkimv2
Select your domain
You'll see a list of domains in your tenant. Click on the custom domain you want to enable DKIM for.
View the CNAME records
Microsoft will display two CNAME records you need to add. They look like this:
Record 1:
- Host:
selector1._domainkey - Points to:
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Record 2:
- Host:
selector2._domainkey - Points to:
selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Add the CNAME records to your DNS
Log into your DNS provider and add both CNAME records. The exact steps vary by provider, but you're creating two new CNAME records with the values Microsoft provided.
Wait for DNS propagation
DNS changes can take anywhere from a few minutes to 48 hours to propagate. Usually it's much faster—15-30 minutes is typical.
Enable DKIM signing
Return to the Microsoft 365 Defender portal. Select your domain again and toggle Sign messages for this domain with DKIM signatures to Enabled.
If DNS hasn't propagated yet, you'll get an error. Wait a bit and try again.
Verify Your Setup
After enabling DKIM, verify it's working correctly.
Test both selectors:
selector1._domainkey.yourdomain.comselector2._domainkey.yourdomain.com
You can also send a test email to an external address (like a personal Gmail) and check the email headers. Look for:
Authentication-Results: ...
dkim=pass header.d=yourdomain.com header.s=selector1
Common Issues and Solutions
"CNAME record doesn't exist"
Cause: DNS hasn't propagated yet, or there's a typo in your DNS records.
Solution:
- Double-check the CNAME record values match exactly what Microsoft provided
- Wait longer for propagation (up to 48 hours in rare cases)
- Use a DNS checker to verify your records are visible globally
"Client Error" when enabling DKIM
Cause: Usually a DNS propagation issue or incorrect record values.
Solution:
- Verify both CNAME records exist and are correct
- Clear your browser cache and try again
- Wait 30 minutes and retry
DKIM shows enabled but emails fail verification
Cause: Emails may be going through another service (like a mailing list or security gateway) that modifies them.
Solution:
- Check if emails are being routed through third-party services
- Verify the email headers to see where the signature breaks
Check both selectors
Microsoft rotates between selector1 and selector2. Always verify both are working, not just one.
DKIM for Multiple Domains
If you have multiple custom domains in Microsoft 365, you need to set up DKIM for each one separately. Repeat the process for each domain:
- Add the domain-specific CNAME records to that domain's DNS
- Enable DKIM signing for that domain in the Defender portal
Each domain gets its own set of selector1/selector2 CNAME records pointing to domain-specific Microsoft addresses.
PowerShell Alternative
If you prefer command line or need to automate setup, you can use PowerShell:
# Connect to Exchange Online
Connect-ExchangeOnline
# View DKIM configuration
Get-DkimSigningConfig -Identity yourdomain.com
# Enable DKIM
Set-DkimSigningConfig -Identity yourdomain.com -Enabled $true
# Create new DKIM signing config (if it doesn't exist)
New-DkimSigningConfig -DomainName yourdomain.com -Enabled $true
Key Rotation
Microsoft handles DKIM key rotation automatically—that's the benefit of using CNAME records. You don't need to update your DNS when Microsoft rotates keys.
However, if you need to manually rotate keys (rare), you can use PowerShell:
Rotate-DkimSigningConfig -KeySize 2048 -Identity yourdomain.com
Complete Your Email Authentication
DKIM is one part of email authentication. For complete protection, also configure:
SPF: Verify your SPF record includes Microsoft 365's servers. Check at spfrecordcheck.com.
DMARC: Set up a DMARC policy to tell receivers what to do when authentication fails. Check at dmarcrecordchecker.com.
Microsoft 365's default SPF include is: include:spf.protection.outlook.com
Related Articles
Monitor Your DKIM Records
Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DKIM issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring