DKIM is the second authentication method that helps with verifying mail sent from your Office 365 is legitimate. Together with SPF and DMARC, this prevents attackers from spoofing your emails.
Where SPF is required to send emails from Office 365, is DKIM recommended to configure (together with DMARC). When you have more the one custom domain in Office 365, then you really should configure DKIM, because the built-in DKIM Configuration in Office 365 is insufficient then.
In this article, we are going to add the appropriate records to our DNS Hosting provider and configure DKIM in Office 365.
We will also look at configuring DKIM for domains that don’t send emails and I have a couple of small PowerShell scripts for you when you need to configure it for multiple domains.
Configure DKIM for Office 365
If you are using the default .onmicrosoft.com domain, then you don’t need to configure DKIM in Office 365. Also when you have only one custom domain is configuring DKIM is not required. Microsoft 365 uses its default policy and 2048-bit public DKIM key for your domain if you don’t enable it yourself.
But when you have more than one custom domain, or also intend to configure DMARC (recommend), then you will need to manually set up DKIM in Office 365.
To configure DKIM we need to have access to the DNS records. Keep in mind that it can take some time (from a couple of minutes to 24 hours) until the DNS changes are processed.
Note
You will need to follow the steps below for every domain that you want to enable DKIM for in your tenant.
I am using Cloudflare as a DNS Hosting provider, which I will be showing in the screenshots below. If you don’t know how to change your DNS records, then contact your hosting provider to assist you.
Time needed: 5 minutes
- Create DKIM Keys
We are first going to create the DKIM keys in the Microsoft 365 security center. Even though they all have the same format, this will make it easier to copy and paste the correct DNS record values
If you don’t see the option Create DKIM Keys, then just go to the next step.
1. Login at security.microsoft.com/dkimv2
2. Select the domain that you are sending mail from
3. Click Create DKIM Keys
- Copy or Write down the keys
All the DKIM Keys have the same format. In the example below you can replace contoso-com with your domain name andcontoso.onmicrosoft.comwith your onmicrosoft.com domain.
Name: selector1._domainkey
Value: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
Name: selector2._domainkey
Value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com
Note the – instead of the . in your domain name!
- Login at your DNS hosting provider
We can now create the appropriate DNS records.
– Log in at your DNS hosting provider.
– Navigate to your DNS records management - Create the DKIM Records
We will need to create the two CNAME records.
– Add a new DNS Record
– Select type: CNAME
– Enter the name and value of the DKIM key
Repeat it for the second DKIM record (just change the 1 into 2)
- Enable DKIM
Depending on your DNS hosting provider we will now need to wait a couple of minutes or maybe even a day. (Not all DNS providers are fast with updating DNS records).
Go back to the Security Admin Center and enable DKIM for your domain
1. Select your domain
2. Enable “Sign messages for this domain with DKIM signatures”
If you get an error that the CNAME records are not found, then just wait a bit longer. After 24 hours it should work. If you then still get the error, then double-check the CNAME records name and value.
Check DKIM Records for Office 365
It’s always a good idea to verify the DNS record configuration. A great site for this is Mxtoolbox.com but we can also use the Microsoft help in the Admin center for this.
- Open DKIM Test page
- Enter your domain name
- Click Run Tests
The test takes a couple of seconds to complete. When it’s successful you will see the following result for your domain:
Protecting Domains that don’t send mail
If you have domains that don’t send mail, then it’s a good idea to protect does as well. This may sound strange, but these domains can still be used for spoofing and phishing attacks. You can also do this for subdomains that don’t send emails.
By creating a simple DNS TXT record we can tell the receiving mail systems that mail from this domain is invalid and should be rejected.
We can use a TXT record for this with the following format:
Name: *._domainkey.non-mail-domain.com
Value: v=DKIM1; p=
Using PowerShell to create and enable DKIM
When you need to enable DKIM for multiple domains in your tenant, then it might be useful to use PowerShell. With PowerShell, we can create the DKIM records for all domains in your tenant and enable DKIM after you have created the CNAME records.
Make sure that you are connected to Exchange Online.
# Connect to Exchange Online
connect-exchangeonline -userprincipalname admin@contoso.com
# Get all domains in your tenant and create DKIM records
Get-AcceptedDomain | ForEach-Object {
Write-Host $_.Name -ForegroundColor Cyan
Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME
}
You can also output it to a file:
$file = "c:\temp\dkim.txt"
Get-AcceptedDomain | ForEach-Object {
$_.Name | Out-File $file -Append
Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME | Out-File $file -Append
}
Next you will need to create the CNAME records. After you have done that, and waited the appropriate amount of time, you can enable DKIM in Office 365 with the following PowerShell script:
# Connect to Exchange Online
connect-exchangeonline -userprincipalname admin@contoso.com
# Enable DKIM for each domain
Get-AcceptedDomain | ForEach-Object {
Write-Host "Enabling DKIM for $_" -ForegroundColor Cyan
Set-DkimSigningConfig -Identity $_.Name -Enabled $true
}
Wrapping Up
DKIM, together with SPF and DMARC, not only prevents spoofing of your mail domain but also helps with the safe delivery of your emails at your clients/customers’ mailbox. All mail providers, like Gmail, Outlook, Microsoft 365, etc, want to verify if an email is legitimate.
When in doubt they move the mail to the junk or spam folder, which of course don’t want. Make sure you also configure DMARC for your domain, so that you have all the authentication methods in place for your domain.
If you have any questions, just drop a comment below.
Hello,
I activated dkim and added the DNS records but still see this:
“X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=domain.com”
In the receiving e-mails.
Should i worry about it ?
Make sure that the DKIM keys are correctly configured in your DNS. Also it can take some time for the DNS records to be fully processed (up to 24 hours). If the issue remains, check if the tenant is dehydrated. If yes, then run the command Enable-OrganizationCustomization.
More info here
Hello Rudy Mens,
Thank you for your help. It is priceless.
I already checked the tenant and it is “hydrated”.
Microsoft support advise me, to remove all DNS records, to stop the DKIM from admin center and re-create it.
This is madness.
Is that “X-MS-TNEF-Correlator:” really important ?
mail-tester.com says that my e-mails and DKIM is fine.
I honously don’t know. What I have found is the following:
If the X-MS-TNEF-Correlator header is empty or missing, it may lead to issues in decoding TNEF streams correctly. The correlation between the TNEF stream and the message envelope relies on this header to validate their association. Therefore, while support for the X-MS-TNEF-Correlator header field is not mandatory, its presence or correct value is crucial for ensuring the accurate decoding of TNEF streams
I already have set-up DKIM records for other service – AWS SES.
Will it be a problem to set-up office365 records too?
Should I expect some conflict?
Nope, you can have multiple DKIM records.
Hi Ruud –
A great article, very helpful. My online commerce site, from SquareSpace, sends customers email receipts from my domain which show up as unverified. The domain records are already configured with DMARC and DKIM for the emails I send. Can I add a second set of entries for DMARC and DKIM using the SquareSpace supplied values for DMARC and DKIM in my domain records?
Yes, because the name of each DKIM record is refering to the sending souce, for example with sendgrid you get:
s1.domainkey.uXXX.wlXXX.sendgrid.netHi Rudy, Maybe you know someone with similar issues? My EPS is GoDaddy
When I access security.microsoft.com/dkimv2 I cannot see any of my domains.
I then try to access admin.microsoft.com to add those domains from GoDaddy but every time i log in, it redirects me to my admin GoDaddy page.
The GoDaddy support team sent me a link to https://easydmarc.com/tools/dkim-record-generator but even there it says that my EPS should provide me with DKIM Key…
Can I use EasyDMARC to generate DKIM is there another/better way?
I don’t have experience with GoDaddy as an ESP. But all DKIM keys have the same format, so yes you could generate them with easydmarc.
Thanks, this was very useful for navigating the MSFTMaze:)
Mark
Hi Ruud
Thanks for the article!
I have a domain in office 365 for my company but then I have a couple of vendor sites that send emails as if from my company as well.
If I enable DKIM will that then flag these as spoof emails?
I have already added them to my SPF record and they are working now.
What do you think?
That should work just fine.
Thanks for the article! Any recommendation on the importance of rotating DKIM keys and how to rotate the DKIM keys through Powershell? We have about 45 custom domains and it’d be tremendously helpful if we can do this through PS. Thanks in Advance!
You can use a simple CSV as an import or an array in PowerShell with all domains. And then just loop through them and rotate the dkim key with the following command:
$dkimDomains = @(
'contoso.com',
'lazyadmin.nl'
)
$dkimDomains | foreach {Rotate-DkimSigningConfig -Identity $_}
Thanks a lot Rudy!! When we ‘rotate’ the keys, we do not need to publish any new keys/cname records right? M365 will take care of all that on the back end?
Correct
Hi Guys,
So trying to Setup DKIM between our o365 and external email gateway.
Email flow from outside and outside 365:
– Via MX to gateway to 365 to user.
Email from outside but another unrelated 365 tenant:
– Via Microsoft routing address to our 365 tenant to gateway back to 365 to user.
Sending emails is easier 365 to gateway and out.
At the moment I have my own DKIM keys on all our mail sending domains using our own selectors so that email gateway understands them and uses them to sign emails.
However, no matter what at the end email goes out as sent from: contosogroup.onmicrosoft.com
I need to align it, so I get full DKIM pass how do I do that?
Can’t turn on DKIM in 365 for email sending domains as those domains do not send from there.
Any siggestions?
Excellent article – wish Microsoft would write their articles this way.
On “Protecting Domains that don’t send mail” I have multiple domains that I receive email on but I do not send mail from at all , I just add them as alias’s to my primary email.
When adding them to 365 I had to create the usual SPF “v=spf1 include:spf.protection.outlook.com -all”
Should I edit that to your’s “Name: *._domainkey.non-mail-domain.com
Value: v=DKIM1; p=” or add as another SPF ?
If editing will doing this make this domain unhealthy in 365 domain ?
The dkim dns record is added as a txt record, not as an SPF record.
Apologies – so for the non sending email domains I should be creating a DKIM of the below :
”
Name: *._domainkey.non-mail-domain.com
Value: v=DKIM1; p=
“
Excellent article and I echo the last comment about your documentation being much clearer to follow than Microsoft’s. Thank you from another lazy admin!
This is a far better article than Microsoft’s own help page! They make what is a relatively simple process, look far more complicated.
I realise that I am posting this comment (July 22) 6 months on from the last update (Feb 22) however when running the DKIM test in the admin centre, the message after running tests simply says “Our tests didn’t find any problems.” which is a lot less reassuring than “…successfully created and enabled”.
Hi Rudy, when entering the host name do you need to place a trailing “.”at the end
for example selector2-mydomain-com01i._domainkey.mydomain-com.onmicrosoft.com.
when I am adding the CNAME records at my DNS registrar I get the following warning
“Warning: A hostname entry usually ends with a dot (.) unless you specifically want it to be suffixed by the current domain.”
yes, a dot is normal, otherwise, your registar will add indeed your domain name behind it.
Hi Rudd, thanks for getting back to me.
I found, by accident it is not a fixed rule for all DNS providers.
I have domains with Gandi and Go Daddy with one proxied via Cloudflare.
As you correctly state Gandi DNS like many others doesn’t work if you leave the trailing dot out.
Interestingly Cloudflare does not seem to need the dot. I was working that as a test and started that before you replied.
Their GUI must assume it because I did not enter the dot and it worked fine. This is what got me so confused because without the dot Gandi wasn’t working.
Thanks for your help and this excellent article too.
I have a custom domain, mydomain.mail.onmicrosoft.com, and mydomain.onmicrosoft.com domain. Does that mean I don’t need to setup DKIM? When I check Microsoft 365 Defender DKIM settings, DKIM is only enabled for the mydomain.onmicrosoft.com domain.
Indeed you do not have to create the DKIM records.
Hi Rudy,
What if one would like to start using longer key lenghts. Could thsi be altered afterwards as well???
You can rotate the key with PowerShell for example:
Rotate-DkimSigningConfig -KeySize 2048 -IdentitySo straight forward. Easier to follow than the Microsoft documentation. Thank you!
Great article.
Do you have plans for a DMARC article to wrap it all up?
Thanks for taking the time to share your experience.
Yes, hopefully next week.
The DMARC article is also online.