Configure DKIM record for Office 365

In the previous article, we had a look at how to configure the SPF record for Office 365. An excellent way to protect both senders and recipients from phishing mail is to configure a DKIM record for Office 365. In this article, we will look at how to configure and enable DKIM record for Office 365.

What is DomainKeys Identified Mail (DKIM)?

DomainKeys Identified Mail (DKIM) is an authentication process that can help protect both senders and recipients from forged and phishing email. Add DKIM signatures to your domains, so recipients know that email messages actually came from users in your organization and weren’t modified after they were sent.

Check Office 365 DKIM status

Log in to Microsoft 365 admin center. Click under Admin centers on Security.

Click on Threat Management > Policy > DKIM.

Another option is to go straight to the link https://protection.office.com/dkimv2.

Click on the domain in the list view. In this example, the domain exoip.com.

Click on the switch to enable DKIM.

A message will show that it can’t enable DKIM because the CNAME record does not exist for this config. That’s correct because we need to add a couple of CNAMES in the domain’s registrar.

Only the message is not showing which two CNAME records we need to add. That’s a bug by Microsoft, and they will hopefully fix this very soon.

Office 365 DKIM records example

An example of how the DKIM records look like for the domain exoip.com:

 selector1._domainkey CNAME selector1-exoip-com._domainkey.exoip365.onmicrosoft.com
 selector2._domainkey CNAME selector2-exoip-com._domainkey.exoip365.onmicrosoft.com

If you want to add more than one domain, change the domain and tenant. Everything else looks the same.

Get Office 365 DKIM selector with PowerShell

Run PowerShell as administrator and Connect to Exchange Online PowerShell.

PS C:\> Connect-ExchangeOnline -UserPrincipalName admin@exoip365.onmicrosoft.com

Run the cmdlet Get-DkimSigningConfig including the domain.

PS C:\> Get-DkimSigningConfig -Identity exoip.com | fl Selector1CNAME,Selector2CNAME

Selector1CNAME : selector1-exoip-com._domainkey.exoip365.onmicrosoft.com
Selector2CNAME : selector2-exoip-com._domainkey.exoip365.onmicrosoft.com

Add Office 365 DKIM CNAME records to domain’s registrar

Go to the domain’s registrar. Add the two CNAME records.

In our example, a dot needs to be added at the end of the value. It will look like below.

Name                   TTL      Type    Value
----                   ---      ----    -----
selector1._domainkey   5 min.   CNAME   selector1-exoip-com._domainkey.exoip365.onmicrosoft.com.
selector2._domainkey   5 min.   CNAME   selector2-exoip-com._domainkey.exoip365.onmicrosoft.com.

We have to wait 15 minutes to an hour before changes take effect.

Enable Office 365 DKIM

Go back to the Office 365 Security & Compliance Center and Enable DKIM for Office 365.

DKIM record check

Check DKIM record with MxToolbox. Fill in the domain name and selector1. Click DKIM Lookup.

The DKIM selector1 record is published.

Change the lookup field to selector2 and click on DKIM Lookup. The DKIM selector2 record is published.

We did successfully configure the DKIM record for the domain in Office 365.

In the next article, we will change Users UPN with PowerShell.

Conclusion

In this article, you learned how to configure DKIM record for Office 365. Log in to the Microsoft 365 admin portal and go to the DKIM policy. Enabling DKIM for the domain will not work without first creating the CNAME records in the domain’s registrar.

Log in to the domain’s registrar and publish the CNAME records selector1 and selector2. After that, wait for 15 minutes before enabling DKIM in Microsoft 365 admin portal. You can always use MxToolbox to perform a DKIM record test against the domain name and selector for a valid published DKIM key record.

Did you enjoy this article? You may also like Add second domain to Exchange Server. Don’t forget to follow us and share this article.