How to Configure DKIM for Office 365

DKIM is the second authentication method that helps with verifying mail sent from your Office 365 is legitimate. Together with SPF and DMARC, this prevents attackers from spoofing your emails.

Where SPF is required to send emails from Office 365, is DKIM recommended to configure (together with DMARC). When you have more the one custom domain in Office 365, then you really should configure DKIM, because the built-in DKIM Configuration in Office 365 is insufficient then.

In this article, we are going to add the appropriate records to our DNS Hosting provider and configure DKIM in Office 365.

We will also look at configuring DKIM for domains that don’t send emails and I have a couple of small PowerShell scripts for you when you need to configure it for multiple domains.

Configure DKIM for Office 365

If you are using the default domain, then you don’t need to configure DKIM in Office 365. Also when you have only one custom domain is configuring DKIM is not required. Microsoft 365 uses its default policy and 2048-bit public DKIM key for your domain if you don’t enable it yourself.

But when you have more than one custom domain, or also intend to configure DMARC (recommend), then you will need to manually set up DKIM in Office 365.

To configure DKIM we need to have access to the DNS records. Keep in mind that it can take some time (from a couple of minutes to 24 hours) until the DNS changes are processed.


You will need to follow the steps below for every domain that you want to enable DKIM for in your tenant.

I am using Cloudflare as a DNS Hosting provider, which I will be showing in the screenshots below. If you don’t know how to change your DNS records, then contact your hosting provider to assist you.

Time needed: 5 minutes

  1. Create DKIM Keys

    We are first going to create the DKIM keys in the Microsoft 365 security center. Even though they all have the same format, this will make it easier to copy and paste the correct DNS record values

    If you don’t see the option Create DKIM Keys, then just go to the next step.

    1. Login at
    2. Select the domain that you are sending mail from
    3. Click Create DKIM Keys

    Create Office 365 DKIM Keys

  2. Copy or Write down the keys

    All the DKIM Keys have the same format. In the example below you can replace contoso-com with your domain name and with your domain.

    Name: selector1._domainkey

    Name: selector2._domainkey

    Note the – instead of the . in your domain name!

  3. Login at your DNS hosting provider

    We can now create the appropriate DNS records.

    – Log in at your DNS hosting provider.
    – Navigate to your DNS records management

  4. Create the DKIM Records

    We will need to create the two CNAME records.

    – Add a new DNS Record
    – Select type: CNAME
    – Enter the name and value of the DKIM key

    Repeat it for the second DKIM record (just change the 1 into 2)

    DKIM DNS Records

  5. Enable DKIM

    Depending on your DNS hosting provider we will now need to wait a couple of minutes or maybe even a day. (Not all DNS providers are fast with updating DNS records).

    Go back to the Security Admin Center and enable DKIM for your domain

    1. Select your domain
    2. Enable “Sign messages for this domain with DKIM signatures”

    If you get an error that the CNAME records are not found, then just wait a bit longer. After 24 hours it should work. If you then still get the error, then double-check the CNAME records name and value.

    enable dkim office 365

Check DKIM Records for Office 365

It’s always a good idea to verify the DNS record configuration. A great site for this is but we can also use the Microsoft help in the Admin center for this.

  1. Open DKIM Test page
  2. Enter your domain name
  3. Click Run Tests
office 365 dkim check

The test takes a couple of seconds to complete. When it’s successful you will see the following result for your domain:

dkim result

Protecting Domains that don’t send mail

If you have domains that don’t send mail, then it’s a good idea to protect does as well. This may sound strange, but these domains can still be used for spoofing and phishing attacks. You can also do this for subdomains that don’t send emails.

By creating a simple DNS TXT record we can tell the receiving mail systems that mail from this domain is invalid and should be rejected.

We can use a TXT record for this with the following format:

Name: *
Value: v=DKIM1; p=

dkim for non mail domains

Using PowerShell to create and enable DKIM

When you need to enable DKIM for multiple domains in your tenant, then it might be useful to use PowerShell. With PowerShell, we can create the DKIM records for all domains in your tenant and enable DKIM after you have created the CNAME records.

Make sure that you are connected to Exchange Online.

# Connect to Exchange Online
connect-exchangeonline -userprincipalname [email protected]

# Get all domains in your tenant and create DKIM records
Get-AcceptedDomain | ForEach-Object {
    Write-Host $_.Name -ForegroundColor Cyan 
    Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME

You can also output it to a file:

$file = "c:\temp\dkim.txt"

Get-AcceptedDomain | ForEach-Object {
    $_.Name | Out-File $file -Append
    Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME | Out-File $file -Append

Next you will need to create the CNAME records. After you have done that, and waited the appropriate amount of time, you can enable DKIM in Office 365 with the following PowerShell script:

# Connect to Exchange Online
connect-exchangeonline -userprincipalname [email protected]

# Enable DKIM for each domain
Get-AcceptedDomain | ForEach-Object {
    Write-Host "Enabling DKIM for $_" -ForegroundColor Cyan 
    Set-DkimSigningConfig -Identity $_.Name -Enabled $true

Wrapping Up

DKIM, together with SPF and DMARC, not only prevents spoofing of your mail domain but also helps with the safe delivery of your emails at your clients/customers’ mailbox. All mail providers, like Gmail, Outlook, Microsoft 365, etc, want to verify if an email is legitimate.

When in doubt they move the mail to the junk or spam folder, which of course don’t want. Make sure you also configure DMARC for your domain, so that you have all the authentication methods in place for your domain.

If you have any questions, just drop a comment below.

34 thoughts on “How to Configure DKIM for Office 365”

  1. Hello,

    I activated dkim and added the DNS records but still see this:
    authentication-results: dkim=none (message not signed)
    header.d=none;dmarc=none action=none”

    In the receiving e-mails.

    Should i worry about it ?

    • Make sure that the DKIM keys are correctly configured in your DNS. Also it can take some time for the DNS records to be fully processed (up to 24 hours). If the issue remains, check if the tenant is dehydrated. If yes, then run the command Enable-OrganizationCustomization.

      # Get current state
      Get-OrganizationConfig | ft Identity,IsDehydrated
      # If result IsDehydrated is True, then

      More info here

      • Hello Rudy Mens,

        Thank you for your help. It is priceless.

        I already checked the tenant and it is “hydrated”.

        Microsoft support advise me, to remove all DNS records, to stop the DKIM from admin center and re-create it.
        This is madness.

        Is that “X-MS-TNEF-Correlator:” really important ? says that my e-mails and DKIM is fine.

        • I honously don’t know. What I have found is the following:

          If the X-MS-TNEF-Correlator header is empty or missing, it may lead to issues in decoding TNEF streams correctly. The correlation between the TNEF stream and the message envelope relies on this header to validate their association. Therefore, while support for the X-MS-TNEF-Correlator header field is not mandatory, its presence or correct value is crucial for ensuring the accurate decoding of TNEF streams

  2. I already have set-up DKIM records for other service – AWS SES.

    Will it be a problem to set-up office365 records too?

    Should I expect some conflict?

  3. Hi Ruud –

    A great article, very helpful. My online commerce site, from SquareSpace, sends customers email receipts from my domain which show up as unverified. The domain records are already configured with DMARC and DKIM for the emails I send. Can I add a second set of entries for DMARC and DKIM using the SquareSpace supplied values for DMARC and DKIM in my domain records?

  4. Hi Rudy, Maybe you know someone with similar issues? My EPS is GoDaddy

    When I access I cannot see any of my domains.

    I then try to access to add those domains from GoDaddy but every time i log in, it redirects me to my admin GoDaddy page.

    The GoDaddy support team sent me a link to but even there it says that my EPS should provide me with DKIM Key…

    Can I use EasyDMARC to generate DKIM is there another/better way?

  5. Hi Ruud
    Thanks for the article!
    I have a domain in office 365 for my company but then I have a couple of vendor sites that send emails as if from my company as well.
    If I enable DKIM will that then flag these as spoof emails?
    I have already added them to my SPF record and they are working now.
    What do you think?

  6. Thanks for the article! Any recommendation on the importance of rotating DKIM keys and how to rotate the DKIM keys through Powershell? We have about 45 custom domains and it’d be tremendously helpful if we can do this through PS. Thanks in Advance!

  7. Hi Guys,

    So trying to Setup DKIM between our o365 and external email gateway.
    Email flow from outside and outside 365:
    – Via MX to gateway to 365 to user.
    Email from outside but another unrelated 365 tenant:
    – Via Microsoft routing address to our 365 tenant to gateway back to 365 to user.

    Sending emails is easier 365 to gateway and out.

    At the moment I have my own DKIM keys on all our mail sending domains using our own selectors so that email gateway understands them and uses them to sign emails.

    However, no matter what at the end email goes out as sent from:

    I need to align it, so I get full DKIM pass how do I do that?
    Can’t turn on DKIM in 365 for email sending domains as those domains do not send from there.

    Any siggestions?

  8. Excellent article – wish Microsoft would write their articles this way.
    On “Protecting Domains that don’t send mail” I have multiple domains that I receive email on but I do not send mail from at all , I just add them as alias’s to my primary email.
    When adding them to 365 I had to create the usual SPF “v=spf1 -all”
    Should I edit that to your’s “Name: *
    Value: v=DKIM1; p=” or add as another SPF ?
    If editing will doing this make this domain unhealthy in 365 domain ?

  9. Excellent article and I echo the last comment about your documentation being much clearer to follow than Microsoft’s. Thank you from another lazy admin!

  10. This is a far better article than Microsoft’s own help page! They make what is a relatively simple process, look far more complicated.

    I realise that I am posting this comment (July 22) 6 months on from the last update (Feb 22) however when running the DKIM test in the admin centre, the message after running tests simply says “Our tests didn’t find any problems.” which is a lot less reassuring than “…successfully created and enabled”.

  11. Hi Rudy, when entering the host name do you need to place a trailing “.”at the end

    for example

    when I am adding the CNAME records at my DNS registrar I get the following warning

    “Warning: A hostname entry usually ends with a dot (.) unless you specifically want it to be suffixed by the current domain.”

      • Hi Rudd, thanks for getting back to me.
        I found, by accident it is not a fixed rule for all DNS providers.
        I have domains with Gandi and Go Daddy with one proxied via Cloudflare.
        As you correctly state Gandi DNS like many others doesn’t work if you leave the trailing dot out.

        Interestingly Cloudflare does not seem to need the dot. I was working that as a test and started that before you replied.
        Their GUI must assume it because I did not enter the dot and it worked fine. This is what got me so confused because without the dot Gandi wasn’t working.

        Thanks for your help and this excellent article too.

  12. I have a custom domain,, and domain. Does that mean I don’t need to setup DKIM? When I check Microsoft 365 Defender DKIM settings, DKIM is only enabled for the domain.

  13. Great article.

    Do you have plans for a DMARC article to wrap it all up?

    Thanks for taking the time to share your experience.

Leave a Comment