How to Configure DKIM for Office 365

DKIM is the second authentication method that helps with verifying mail sent from your Office 365 is legitimate. Together with SPF and DMARC, this prevents attackers from spoofing your emails.

Where SPF is required to send emails from Office 365, is DKIM recommended to configure (together with DMARC). When you have more the one custom domain in Office 365, then you really should configure DKIM, because the built-in DKIM Configuration in Office 365 is insufficient then.

In this article, we are going to add the appropriate records to our DNS Hosting provider and configure DKIM in Office 365.

We will also look at configuring DKIM for domains that don’t send emails and I have a couple of small PowerShell scripts for you when you need to configure it for multiple domains.

Configure DKIM for Office 365

If you are using the default .onmicrosoft.com domain, then you don’t need to configure DKIM in Office 365. Also when you have only one custom domain is configuring DKIM is not required. Microsoft 365 uses its default policy and 2048-bit public DKIM key for your domain if you don’t enable it yourself.

But when you have more than one custom domain, or also intend to configure DMARC (recommend), then you will need to manually set up DKIM in Office 365.

To configure DKIM we need to have access to the DNS records. Keep in mind that it can take some time (from a couple of minutes to 24 hours) until the DNS changes are processed.

Note

You will need to follow the steps below for every domain that you want to enable DKIM for in your tenant.

I am using Cloudflare as a DNS Hosting provider, which I will be showing in the screenshots below. If you don’t know how to change your DNS records, then contact your hosting provider to assist you.

Time needed: 5 minutes.

  1. Create DKIM Keys


    We are first going to create the DKIM keys in the Microsoft 365 security center. Even though they all have the same format, this will make it easier to copy and paste the correct DNS record values

    If you don’t see the option Create DKIM Keys, then just go to the next step.

    1. Login at security.microsoft.com/dkimv2
    2. Select the domain that you are sending mail from
    3. Click Create DKIM Keys

    Create Office 365 DKIM Keys

  2. Copy or Write down the keys


    All the DKIM Keys have the same format. In the example below you can replace contoso-com with your domain name and contoso.onmicrosoft.com with your onmicrosoft.com domain.

    Name: selector1._domainkey
    Value: selector1-contoso-com._domainkey.contoso.onmicrosoft.com

    Name: selector2._domainkey
    Value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com

    Note the – instead of the . in your domain name!

  3. Login at your DNS hosting provider


    We can now create the appropriate DNS records.

    – Log in at your DNS hosting provider.
    – Navigate to your DNS records management

  4. Create the DKIM Records


    We will need to create the two CNAME records.

    – Add a new DNS Record
    – Select type: CNAME
    – Enter the name and value of the DKIM key

    Repeat it for the second DKIM record (just change the 1 into 2)

    DKIM DNS Records

  5. Enable DKIM


    Depending on your DNS hosting provider we will now need to wait a couple of minutes or maybe even a day. (Not all DNS providers are fast with updating DNS records).

    Go back to the Security Admin Center and enable DKIM for your domain

    1. Select your domain
    2. Enable “Sign messages for this domain with DKIM signatures”

    If you get an error that the CNAME records are not found, then just wait a bit longer. After 24 hours it should work. If you then still get the error, then double-check the CNAME records name and value.

    enable dkim office 365

Check DKIM Records for Office 365

It’s always a good idea to verify the DNS record configuration. A great site for this is Mxtoolbox.com but we can also use the Microsoft help in the Admin center for this.

  1. Open DKIM Test page
  2. Enter your domain name
  3. Click Run Tests
office 365 dkim check

The test takes a couple of seconds to complete. When it’s successful you will see the following result for your domain:

dkim result
DKIM Test

Protecting Domains that don’t send mail

If you have domains that don’t send mail, then it’s a good idea to protect does as well. This may sound strange, but these domains can still be used for spoofing and phishing attacks. You can also do this for subdomains that don’t send emails.

By creating a simple DNS TXT record we can tell the receiving mail systems that mail from this domain is invalid and should be rejected.

We can use a TXT record for this with the following format:

Name: *._domainkey.non-mail-domain.com
Value: v=DKIM1; p=

dkim for non mail domains

Using PowerShell to create and enable DKIM

When you need to enable DKIM for multiple domains in your tenant, then it might be useful to use PowerShell. With PowerShell, we can create the DKIM records for all domains in your tenant and enable DKIM after you have created the CNAME records.

Make sure that you are connected to Exchange Online.

# Connect to Exchange Online
connect-exchangeonline -userprincipalname [email protected]

# Get all domains in your tenant and create DKIM records
Get-AcceptedDomain | ForEach-Object {
    Write-Host $_.Name -ForegroundColor Cyan 
    Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME
}

You can also output it to a file:

$file = "c:\temp\dkim.txt"

Get-AcceptedDomain | ForEach-Object {
    $_.Name | Out-File $file -Append
    Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME | Out-File $file -Append
}

Next you will need to create the CNAME records. After you have done that, and waited the appropriate amount of time, you can enable DKIM in Office 365 with the following PowerShell script:

# Connect to Exchange Online
connect-exchangeonline -userprincipalname [email protected]

# Enable DKIM for each domain
Get-AcceptedDomain | ForEach-Object {
    Write-Host "Enabling DKIM for $_" -ForegroundColor Cyan 
    Set-DkimSigningConfig -Identity $_.Name -Enabled $true
  }

Wrapping Up

DKIM, together with SPF and DMARC, not only prevents spoofing of your mail domain but also helps with the safe delivery of your emails at your clients/customers’ mailbox. All mail providers, like Gmail, Outlook, Microsoft 365, etc, want to verify if an email is legitimate.

When in doubt they move the mail to the junk or spam folder, which of course don’t want. Make sure you also configure DMARC for your domain, so that you have all the authentication methods in place for your domain.

If you have any questions, just drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

3 thoughts on “How to Configure DKIM for Office 365”

  1. Great article.

    Do you have plans for a DMARC article to wrap it all up?

    Thanks for taking the time to share your experience.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share