To configure DKIM, you will complete these steps:
- Publish two CNAME records for your custom domain in DNS
- Enable DKIM signing for your custom domain in Office 365
Publish two CNAME records for your custom domain in DNS
For each domain for which you want to add a DKIM signature in DNS, you need to publish two CNAME records. A CNAME record is used by DNS to specify that the canonical name of a domain is an alias for another domain name.
Office 365 performs automatic key rotation using the two records that you establish. If you have provisioned custom domains in addition to the initial domain in Office 365, you must publish two CNAME records for each additional domain. So, if you have two domains, you must publish two additional CNAME records, and so on.
Use the following format for the CNAME records:
Host name: selector1._domainkey.<domain> Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain> TTL: 3600 Host name: selector2._domainkey.<domain> Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain> TTL: 3600
- For Office 365, the selectors will always be “selector1” or “selector2”.
- domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:
contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com
- initialDomain is the domain that you used when you signed up for Office 365. For information about determining your initial domain, see Domains FAQ.
For example, if you have an initial domain of cohovineyardandwinery.onmicrosoft.com, and two custom domains cohovineyard.com and cohowinery.com, you would need to set up two CNAME records for each additional domain, for a total of four CNAME records.
Host name: selector1._domainkey.cohovineyard.com Points to address or value: selector1-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com TTL: 3600 Host name: selector2._domainkey.cohovineyard.com Points to address or value: selector2-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com TTL: 3600 Host name: selector1._domainkey.cohowinery.com Points to address or value: selector1-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com TTL: 3600 Host name: selector2._domainkey.cohowinery.com Points to address or value: selector2-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com TTL: 3600
Enable DKIM signing for your custom domain in Office 365
Once you have published the CNAME records in DNS, you are ready to enable DKIM signing through Office 365. You can do this either through the Office 365 admin center or by using PowerShell.
To enable DKIM signing for your custom domain through the Office 365 admin center
- Sign in to Office 365 with your work or school account.
- Select the app launcher icon in the upper-left and choose Admin.
- In the lower-left navigation, expand Admin and choose Exchange.
- Go to Protection > dkim.
- Select the domain for which you want to enable DKIM and then, for Sign messages for this domain with DKIM signatures, choose Enable. Repeat this step for each custom domain.
To enable DKIM signing for your custom domain by using PowerShell
- Connect to Exchange Online using remote PowerShell.
- Run the following cmdlet:
New-DkimSigningConfig -DomainName <domain> -Enabled $true
Where _domain_ is the name of the custom domain for which you want to enable DKIM signing. For example, for the domain contoso.com:
New-DkimSigningConfig -DomainName contoso.com -Enabled $truehttps://docs.microsoft.com/en-us/office365/securitycompliance/use-dkim-to-validate-outbound-email#what-you-need-to-do-to-manually-set-up-dkim-in-office-365