DKIM is the second authentication method that helps with verifying mail sent from your Office 365 is legitimate. Together with SPF and DMARC, this prevents attackers from spoofing your emails.
Where SPF is required to send emails from Office 365, is DKIM recommended to configure (together with DMARC). When you have more the one custom domain in Office 365, then you really should configure DKIM, because the built-in DKIM Configuration in Office 365 is insufficient then.
In this article, we are going to add the appropriate records to our DNS Hosting provider and configure DKIM in Office 365.
We will also look at configuring DKIM for domains that don’t send emails and I have a couple of small PowerShell scripts for you when you need to configure it for multiple domains.
Configure DKIM for Office 365
If you are using the default .onmicrosoft.com domain, then you don’t need to configure DKIM in Office 365. Also when you have only one custom domain is configuring DKIM is not required. Microsoft 365 uses its default policy and 2048-bit public DKIM key for your domain if you don’t enable it yourself.
But when you have more than one custom domain, or also intend to configure DMARC (recommend), then you will need to manually set up DKIM in Office 365.
To configure DKIM we need to have access to the DNS records. Keep in mind that it can take some time (from a couple of minutes to 24 hours) until the DNS changes are processed.
Note: You will need to follow the steps below for every domain that you want to enable DKIM for in your tenant.
I am using Cloudflare as a DNS Hosting provider, which I will be showing in the screenshots below. If you don’t know how to change your DNS records, then contact your hosting provider to assist you.
1. Create DKIM Keys
We are first going to create the DKIM keys in the Microsoft 365 security center. Even though they all have the same format, this will make it easier to copy and paste the correct DNS record values
If you don’t see the option Create DKIM Keys, then just go to the next step.
1. Login at security.microsoft.com/dkimv2
2. Select the domain that you are sending mail from
3. Click Create DKIM Keys
2. Copy or Write down the keys
All the DKIM Keys have the same format. In the example below you can replace contoso-com with your domain name and contoso.onmicrosoft.com with your onmicrosoft.com domain.
Name: selector1._domainkey
Value: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
Name: selector2._domainkey
Value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com
Note the – instead of the . in your domain name!
3. Login at your DNS hosting provider
We can now create the appropriate DNS records.
– Log in at your DNS hosting provider.
– Navigate to your DNS records management
4. Create the DKIM Records
We will need to create the two CNAME records.
– Add a new DNS Record
– Select type: CNAME
– Enter the name and value of the DKIM key
Repeat it for the second DKIM record (just change the 1 into 2)
5. Enable DKIM
Depending on your DNS hosting provider we will now need to wait a couple of minutes or maybe even a day. (Not all DNS providers are fast with updating DNS records).
Go back to the Security Admin Center and enable DKIM for your domain
1. Select your domain
2. Enable “Sign messages for this domain with DKIM signatures”
If you get an error that the CNAME records are not found, then just wait a bit longer. After 24 hours it should work. If you then still get the error, then double-check the CNAME records name and value.
Check DKIM Records for Office 365
It’s always a good idea to verify the DNS record configuration. A great site for this is Mxtoolbox.com but we can also use the Microsoft help in the Admin center for this.
- Open DKIM Test page
- Enter your domain name
- Click Run Tests
The test takes a couple of seconds to complete. When it’s successful you will see the following result for your domain:
Protecting Domains that don’t send mail
If you have domains that don’t send mail, then it’s a good idea to protect does as well. This may sound strange, but these domains can still be used for spoofing and phishing attacks. You can also do this for subdomains that don’t send emails.
By creating a simple DNS TXT record we can tell the receiving mail systems that mail from this domain is invalid and should be rejected.
We can use a TXT record for this with the following format:
Name: *._domainkey.non-mail-domain.com
Value: v=DKIM1; p=
Using PowerShell to create and enable DKIM
When you need to enable DKIM for multiple domains in your tenant, then it might be useful to use PowerShell. With PowerShell, we can create the DKIM records for all domains in your tenant and enable DKIM after you have created the CNAME records.
Make sure that you are connected to Exchange Online.
1. # Connect to Exchange Online<font></font>
2. connect-exchangeonline -userprincipalname admin@contoso.com<font></font>
3. <font></font>
4. # Get all domains in your tenant and create DKIM records<font></font>
5. Get-AcceptedDomain | ForEach-Object {<font></font>
6. Write-Host $_.Name -ForegroundColor Cyan <font></font>
7. Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME<font></font>
8. }
You can also output it to a file:
1. $file = "c:\temp\dkim.txt"<font></font>
2. <font></font>
3. Get-AcceptedDomain | ForEach-Object {<font></font>
4. $_.Name | Out-File $file -Append<font></font>
5. Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME | Out-File $file -Append<font></font>
6. }
Next you will need to create the CNAME records. After you have done that, and waited the appropriate amount of time, you can enable DKIM in Office 365 with the following PowerShell script:
1. # Connect to Exchange Online<font></font>
2. connect-exchangeonline -userprincipalname admin@contoso.com<font></font>
3. <font></font>
4. # Enable DKIM for each domain<font></font>
5. Get-AcceptedDomain | ForEach-Object {<font></font>
6. Write-Host "Enabling DKIM for $_" -ForegroundColor Cyan <font></font>
7. Set-DkimSigningConfig -Identity $_.Name -Enabled $true<font></font>
8. }
Wrapping Up
DKIM, together with SPF and DMARC, not only prevents spoofing of your mail domain but also helps with the safe delivery of your emails at your clients/customers’ mailbox. All mail providers, like Gmail, Outlook, Microsoft 365, etc, want to verify if an email is legitimate.
When in doubt they move the mail to the junk or spam folder, which of course don’t want. Make sure you also configure DMARC for your domain, so that you have all the authentication methods in place for your domain.
If you have any questions, just drop a comment below.