All Collections
DNS records
Microsoft Family - Office365 - Exchange - Outlook - Hotmail
How to use DKIM for email validation in your custom domain in Office 365
How to use DKIM for email validation in your custom domain in Office 365

Use DKIM to validate outbound email sent from your custom domain in Office 365

Vladislav Podolyako avatar
Written by Vladislav Podolyako
Updated over a week ago

DKIM along with SPF, DKIM and DMARC, helps preventing attackers from sending messages that look like they come from your domain and not someone spoofing your domain.

DKIM enables a digital signature for outbound emails in the message header. When configured, you authorize your domain to associate (sign) its name to an email message using cryptography. Then email systems when receiving email from your domain can use this digital signature to help verify the legitimacy of the incoming email.

If Microsoft-365's built-in DKIM configuration is not sufficient for your needs, you may want to manually configure DKIM for your custom domain.

When DKIM works better than SPF alone to prevent spoofing

SPF adds information to a message envelope but DKIM encrypts a signature within the message header. When you send a message, similar to a real life letter, portions of that email envelope can be stripped away by the forwarding server. However, the digital signature always stays with the email because it's part of the email header, DKIM works even when a message has been forwarded multiple times.

Diagram showing a forwarded message passing DKIM authentication where the SPF check fails

As you can see, if you had only published an SPF TXT record for your domain, the recipient's mail server could have marked your email as spam and generated a false positive result. The addition of DKIM in this scenario reduces false positive spam reporting. Because DKIM relies on public key cryptography to authenticate and not just IP addresses, DKIM is considered a much stronger form of authentication than SPF. We recommend using both SPF and DKIM, as well as DMARC in your deployment.

DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the d= field in the header. The verifying domain, or recipient's domain, then uses the d= field to look up the public key from DNS, and authenticate the message. If the message is verified, the DKIM check passes.

Create, enable and disable DKIM from Microsoft 365 Defender portal

You can find the accepted domains in Microsoft 365 Defender portal under DKIM page. If you do not see your domain, add it from the domains page. Once your domain is added, follow the steps to configure DKIM.

  1. Click on the domain you wish to configure DKIM on DKIM page.

    DKIM page in the Microsoft 365 Defender portal with a domain selected

  2. Click on Create DKIM keys.

    Domain details flyout with the Create DKIM keys button

  3. Make a copy of the CNAMES shown in the pop up window

    Publish CNAMEs pop up window that contains the two CNAME records to copy

  4. Publish the copied CNAME records to your DNS service provider.
    On your DNS provider's website (GoDaddy, etc.), add CNAME records for DKIM that you want to enable. Make sure that the fields are set to the following values for each:

    Record Type: CNAME (Alias)
    > Host: Paste the values you copy from DKIM page.
    Points to address: Copy the value from DKIM page.
    TTL: 3600 (or your provider default)

  5. Return to DKIM page to enable DKIM.

    Slide the toggle to Enabled to enable DKIM

If you see CNAME record doesn't exist error, it might be due to:

  1. Synchronization with DNS server, which might take few seconds to hours, if the problem persists repeat the steps again.

  2. Double-check for any copy-paste errors, like additional space or tabs etc.

To disable DKIM, simply toggle back to disable mode.

Manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys

Note

Microsoft 365 automatically sets up DKIM for onmicrosoft.com domains. No steps are needed to use DKIM for any initial domain names (like litware.onmicrosoft.com).

To upgrade DKIM keys from 1024-bit to 2048 in Exchange Online PowerShell:

  • For a new implementation of DKIM run this command in PowerShell:

    New-DkimSigningConfig -DomainName <Domain for which config is to be created> -KeySize 2048 -Enabled $true

  • If you already have DKIM configured, you should rotate bitness by running the following command in PowerShell:

    Rotate-DkimSigningConfig -KeySize 2048 -Identity {Guid of the existing Signing Config}

Stay connected to Exchange Online PowerShell to verify the configuration by running the following command:

Get-DkimSigningConfig -Identity <Domain for which the configuration was set> | Format-List

This 2048-bit key takes effect on the RotateOnDate, and will send emails with the 1024-bit key in the interim.

Manually set up DKIM

To configure DKIM, you need to complete these steps:

Publish two CNAME records for your custom domain in DNS

For each domain for which you want to add a DKIM signature in DNS, you need to publish two CNAME records.

To create the selector records run the following commands in Exchange Online PowerShell:

New-DkimSigningConfig -DomainName <domain> -Enabled $false
Get-DkimSigningConfig -Identity <domain> | Format-List Selector1CNAME, Selector2CNAME

Note that if you have provisioned custom domains in addition to the initial domain in Microsoft 365, you must publish two CNAME records for each additional domain. So, if you have two domains, you must publish two additional CNAME records, and so on.

Important

Microsoft 356 calculates domainGuid directly from the customized domain where any periods are replaced with a dash.

Format for the CNAME records

Host name:            selector1._domainkey
Points to address or value:    selector1-<domainGUID>._domainkey.<initialDomain>
TTL:                3600

Host name:            selector2._domainkey
Points to address or value:    selector2-<domainGUID>._domainkey.<initialDomain>
TTL:                3600

Where:

  • the selectors will always be "selector1" or "selector2".

  • domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. Any periods are replaced with a dash:

    contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com

  • initialDomain is the domain that you used when you signed up for Microsoft 365. Initial domains always end in onmicrosoft.com.

For example, you have an initial domain of grapeyard.onmicrosoft.com, and two custom domains grape.com and yard.com, you would need to set up two CNAME records for each additional domain.

Host name:            selector1._domainkey
Points to address or value:    selector1-grape-com._domainkey.grapeyard.onmicrosoft.com
TTL:                3600

Host name:            selector2._domainkey
Points to address or value:    selector2-grape-com._domainkey.grapeyard.onmicrosoft.com
TTL:                3600

Host name:            selector1._domainkey
Points to address or value:    selector1-yard-com._domainkey.grapeyard.onmicrosoft.com
TTL:                3600

Host name:            selector2._domainkey
Points to address or value:    selector2-yard-com._domainkey.grapeyard.onmicrosoft.com
TTL:                3600

Enable DKIM signing for your custom domain

Once you have published the CNAME records in DNS, you are ready to enable DKIM signing through Microsoft 365. You can do this either through the Microsoft 365 admin center or by using PowerShell.

To enable DKIM signing for your custom domain in the Microsoft 365 Defender portal

  1. Open the Microsoft 365 Defender portal using your work account.

  2. Go to Email & Collaboration > Policies & Rules > Threat policies > DKIM in the Rules section. Or, to go directly to the DKIM page, use https://security.microsoft.com/dkimv2.

  3. On the DKIM page, select the domain by clicking on the name.

  4. In the details flyout that appears, change the Sign messages for this domain with DKIM signatures setting to Enabled.

    When you're finished, click Rotate DKIM keys.

  5. Repeat these step for each custom domain.

  6. If you are configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain' you will have to use Windows PowerShell to enable DKIM signing as explained in the next step.

To enable DKIM signing for your custom domain by using PowerShell

  1. Connect to Exchange Online PowerShell.

  2. Run the command:

    Set-DkimSigningConfig -Identity <Domain> -Enabled $true


    Where <Domain> is the name of the custom domain that you want to enable DKIM signing for.

To Confirm DKIM signing is configured properly for Microsoft 365

Wait at least 5 to 10 minutes before you follow these steps to confirm that you have properly configured DKIM.

  • Send a message from an account within your Microsoft 365 DKIM-enabled domain to another email account such as outlook.com or Hotmail.com.

  • Do not use an aol.com account for testing purposes. AOL may skip the DKIM check if the SPF check passes. This will nullify your test.

  • Open the message and look at the header. Instructions for viewing the header for the message will vary depending on your messaging client.

    The DKIM-signed message will contain the host name and domain you defined when you published the CNAME entries.

  • Look for the Authentication-Results header. While each receiving service uses a slightly different format to stamp the incoming mail, the result should include something like DKIM=pass or DKIM=OK.

See also

Did this answer your question?