DKIM for Microsoft 365: Setup Guide
Complete guide to setting up DKIM for Microsoft 365 (Office 365). Enable DKIM signing for Exchange Online with step-by-step instructions.
Last updated: 2026-02-04
Microsoft 365 (formerly Office 365) includes built-in DKIM signing for Exchange Online. This guide shows you how to enable it and configure your DNS records.
Microsoft 365 generates and manages DKIM keys automatically. You need to create two CNAME records in your DNS to enable it.
How Microsoft 365 DKIM Works
Microsoft uses a unique approach:
- Microsoft generates two key pairs for your domain
- You create CNAME records pointing to Microsoft's DKIM infrastructure
- Microsoft handles key management and rotation automatically
- All Exchange Online emails are signed with your domain
Prerequisites
- Your domain must be verified in Microsoft 365
- You need access to your domain's DNS management
- Allow up to 48 hours for DNS propagation
Enable DKIM in Microsoft 365
Open Microsoft 365 Defender
Go to security.microsoft.com and sign in as an administrator.
Navigate to DKIM
Go to Policies & rules → Threat policies → Email authentication settings → DKIM.
Select your domain
Click on the domain you want to configure. Microsoft will show you the CNAME records you need to create.
Copy the CNAME records
You'll see two records—selector1 and selector2. Copy both hostname and value pairs.
Add DNS Records
Microsoft requires two CNAME records:
Record 1:
| Field | Value |
|---|---|
| Host/Name | `selector1._domainkey` |
| Type | CNAME |
| Value | `selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com` |
Record 2:
| Field | Value |
|---|---|
| Host/Name | `selector2._domainkey` |
| Type | CNAME |
| Value | `selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com` |
The exact values depend on your domain and tenant. Copy them from the Microsoft 365 Defender portal for accuracy.
Activate DKIM Signing
Wait for DNS propagation
Allow up to 48 hours for the CNAME records to propagate.
Return to DKIM settings
Go back to Microsoft 365 Defender → DKIM page.
Enable signing
Toggle "Sign messages for this domain with DKIM signatures" to On.
Verify status
The status should show as enabled. Test by sending an email and checking the headers.
Need DKIM for other services?
Generate custom DKIM keys for services beyond Microsoft 365.
Microsoft 365 Selectors
Microsoft uses two selectors for redundancy and key rotation:
selector1._domainkey.yourdomain.comselector2._domainkey.yourdomain.com
Microsoft rotates between these automatically. You don't need to manage key rotation yourself.
Using the PowerShell Alternative
You can also enable DKIM via Exchange Online PowerShell:
# Connect to Exchange Online
Connect-ExchangeOnline
# Get DKIM configuration
Get-DkimSigningConfig -Identity yourdomain.com
# Enable DKIM
Set-DkimSigningConfig -Identity yourdomain.com -Enabled $true
Troubleshooting
"CNAME record does not exist"
- Verify the CNAME records are created at the correct hostnames
- Check DNS propagation status
- Ensure no typos in the values
"Key not enabled"
- Wait for full DNS propagation (up to 48 hours)
- Try disabling and re-enabling DKIM in the portal
- Check for conflicting TXT records at the same selector
Different domain for email If your email domain differs from your Microsoft 365 tenant domain, ensure you're configuring DKIM for the correct domain (the one in your From addresses).
Multiple Domains
Each domain in Microsoft 365 needs its own DKIM configuration:
- Repeat the process for each custom domain
- Each domain gets its own pair of selectors
- Microsoft manages all keys centrally
Related Articles
DKIM Creator generates keys for services that don't have built-in DKIM management.
Generate DKIM keys instantly
Create custom key pairs for any email service. Free, secure, and private.
Generate DKIM Keys