Set Up DKIM on Microsoft 365

Configure DKIM for Exchange Online and Outlook.

Microsoft 365 uses CNAME records instead of TXT records for DKIM. This allows Microsoft to manage key rotation automatically.

Time required: 15 minutes (plus DNS propagation)
Prerequisites: Microsoft 365 admin access, DNS access

Step 1: Access Microsoft 365 Defender

  1. Go to security.microsoft.com
  2. Navigate to Email & collaboration → Policies & rules
  3. Click Threat policies
  4. Select Email authentication settings
  5. Click the DKIM tab

Step 2: Generate DKIM Keys

  1. Select your domain from the list
  2. Click Create DKIM keys
  3. Microsoft will generate two selectors for key rotation

Step 3: Add DNS CNAME Records

Create two CNAME records pointing to Microsoft's infrastructure:

# First selector
Name: selector1._domainkey
Type: CNAME
Value: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com

# Second selector
Name: selector2._domainkey
Type: CNAME
Value: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com

# Replace:
# - "yourdomain-com" with your domain using dashes (example-com)
# - "yourdomain.onmicrosoft.com" with your Microsoft 365 domain

Step 4: Enable DKIM Signing

  1. Wait for DNS propagation (up to 48 hours, usually faster)
  2. Return to Microsoft 365 Defender → DKIM settings
  3. Toggle Sign messages for this domain with DKIM signatures to On

PowerShell Alternative

Prefer command line? Use Exchange Online PowerShell:

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

# Check current DKIM status
Get-DkimSigningConfig -Identity yourdomain.com | Format-List

# Create DKIM config if needed
New-DkimSigningConfig -DomainName yourdomain.com -Enabled $false

# Get CNAME records to create
Get-DkimSigningConfig -Identity yourdomain.com | \
  Select Selector1CNAME, Selector2CNAME

# Enable DKIM after DNS records are in place
Set-DkimSigningConfig -Identity yourdomain.com -Enabled $true

# Rotate keys periodically (Microsoft recommends quarterly)
Rotate-DkimSigningConfig -KeySize 2048 -Identity yourdomain.com

Checklist

Created DKIM keys in Microsoft 365 Defender
Added selector1._domainkey CNAME record
Added selector2._domainkey CNAME record
Enabled DKIM signing in portal

Next Steps