DKIM for Microsoft Exchange: On-Premises and Online Setup
Complete guide to setting up DKIM for Microsoft Exchange Server (on-premises) and Exchange Online. Learn how to enable DKIM signing with step-by-step instructions for both environments.
Last updated: 2026-02-06
Microsoft Exchange comes in two flavors: Exchange Server (on-premises) and Exchange Online (part of Microsoft 365). Setting up DKIM differs significantly between the two. This guide covers both.
Exchange Online includes built-in DKIM signing managed through the Microsoft 365 Defender portal. Exchange Server on-premises does not natively support DKIM and requires a third-party transport agent.
Exchange Online vs Exchange Server
| Aspect | Exchange Online | Exchange Server (On-Premises) |
|---|---|---|
| Native DKIM support | Yes — built-in | No — requires third-party agent |
| Key management | Automatic (Microsoft manages) | Manual (you generate and rotate keys) |
| DNS record type | CNAME records | TXT records |
| Setup difficulty | Low | Moderate to high |
| Key rotation | Automatic | Manual |
Part 1: Exchange Online (Microsoft 365)
Exchange Online handles DKIM through the Microsoft 365 Defender portal. Microsoft generates the keys and manages rotation automatically.
Prerequisites
- Your domain must be verified in Microsoft 365
- You need DNS management access for your domain
- Administrator access to the Microsoft 365 Defender portal
Enable DKIM for Exchange Online
Open Microsoft 365 Defender
Go to security.microsoft.com and sign in with an administrator account.
Navigate to DKIM settings
Go to Policies & rules, then Threat policies, then Email authentication settings, and select DKIM.
Select your domain
Click on the domain you want to configure. Microsoft displays the two CNAME records you need to create.
Create CNAME records in DNS
Add two CNAME records at your DNS provider using the values Microsoft provides.
Wait for DNS propagation
Allow up to 48 hours for the CNAME records to propagate across DNS.
Enable DKIM signing
Return to the DKIM settings page and toggle "Sign messages for this domain with DKIM signatures" to On.
DNS Records for Exchange Online
Microsoft requires two CNAME records pointing to their DKIM infrastructure:
Record 1:
| Field | Value |
|---|---|
| Host/Name | `selector1._domainkey` |
| Type | CNAME |
| Value | `selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com` |
Record 2:
| Field | Value |
|---|---|
| Host/Name | `selector2._domainkey` |
| Type | CNAME |
| Value | `selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com` |
The exact CNAME values depend on your domain and tenant name. Always copy the values directly from the Microsoft 365 Defender portal.
Verify Exchange Online DKIM
Send a test email to an external address and inspect the email headers. Look for:
Authentication-Results: dkim=pass header.d=yourdomain.com
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=selector1; ...
You can also verify using PowerShell:
Connect-ExchangeOnline
Get-DkimSigningConfig -Identity yourdomain.com | Format-List
Need DKIM for additional services?
Generate custom DKIM keys for services outside Exchange Online.
Part 2: Exchange Server (On-Premises)
Exchange Server does not include native DKIM signing. You need a third-party transport agent to add DKIM signatures to outgoing emails.
Why Exchange Server Lacks Native DKIM
Microsoft built DKIM support into Exchange Online but never added it to Exchange Server on-premises. To sign outgoing mail with DKIM on Exchange Server, you need to install a transport agent that hooks into the mail pipeline and adds the DKIM-Signature header.
Option 1: DKIM Signer Transport Agent
The most commonly used solution is the open-source Exchange DKIM Signer transport agent. It integrates directly with Exchange Server's transport pipeline.
Generate DKIM keys
Generate an RSA key pair. Use 2048-bit keys for stronger security. You can use DKIM Creator to generate the key pair.
Download and install the transport agent
Download the DKIM Signer transport agent and run the installer on your Exchange Server. The agent registers as a transport agent in the Exchange pipeline.
Configure the agent
Open the DKIM Signer configuration tool. Add your domain, select the private key file, and set your DKIM selector name (e.g., selector1).
Publish the DNS record
Add a TXT record for your selector at selector1._domainkey.yourdomain.com containing your DKIM public key.
Test and verify
Send a test email and check that the DKIM-Signature header is present. Verify the signature passes at the receiving end.
DNS Record for On-Premises Exchange
For on-premises Exchange, you publish a standard DKIM TXT record:
| Field | Value |
|---|---|
| Host/Name | `selector1._domainkey` |
| Type | TXT |
| Value | `v=DKIM1; k=rsa; p=MIIBIjANBgkq...` (your public key) |
| TTL | 3600 |
Option 2: Third-Party Email Gateways
If you use a third-party email gateway or security appliance in front of Exchange Server, it may handle DKIM signing for you. Common options include:
- Mimecast — Signs outbound email on behalf of your domain
- Barracuda Email Security Gateway — Includes DKIM signing capabilities
- Proofpoint — Enterprise email security with DKIM support
In this scenario, Exchange Server sends mail through the gateway, and the gateway adds the DKIM signature before delivery.
Option 3: Hybrid Deployment
If you run a hybrid Exchange deployment (on-premises + Exchange Online), you can route outbound mail through Exchange Online to take advantage of Microsoft's built-in DKIM signing. This means Exchange Online acts as the outbound gateway and signs all messages.
Troubleshooting
Exchange Online: "CNAME record does not exist"
- Double-check the CNAME records at your DNS provider
- Verify there are no typos in the selector hostnames
- Wait for full DNS propagation (up to 48 hours)
Exchange Online: Cannot enable DKIM
- Ensure the domain is fully verified in Microsoft 365
- Try using PowerShell:
Set-DkimSigningConfig -Identity yourdomain.com -Enabled $true - Check for conflicting TXT records at the same selector
Exchange Server: Transport agent not signing
- Verify the agent is enabled:
Get-TransportAgentin Exchange Management Shell - Check the agent priority — it should run after other agents that may modify the message
- Confirm the private key file path is correct and accessible by the Exchange transport service
Exchange Server: DKIM signature fails verification
- Ensure the public key in DNS matches the private key used for signing
- Check that no downstream server is modifying the message after signing
- Verify the selector in the DKIM-Signature header matches your DNS record
Hybrid tip
If managing DKIM on Exchange Server on-premises feels too complex, consider routing outbound email through Exchange Online or a third-party gateway that handles DKIM signing for you.
Key Rotation
Exchange Online rotates keys automatically between selector1 and selector2. No action needed.
Exchange Server requires manual key rotation:
- Generate a new key pair
- Publish the new public key under a new selector
- Update the transport agent to use the new private key
- Keep the old DNS record active for 48-72 hours
- Remove the old DNS record after the transition period
Related Articles
DKIM Creator generates key pairs for Exchange Server on-premises and any other service that needs custom DKIM keys.
Generate DKIM keys for Exchange Server
Create 2048-bit DKIM key pairs for your on-premises Exchange deployment. Free, secure, and instant.
Generate DKIM Keys