Setting DKIM for Microsoft 365 domain

ByBrad Slavin
DMARC Report
DMARC Report
Setting DKIM for Microsoft 365 domain
Loading
/

Microsoft highly encourages its users to deploy DKIM in tandem with SPF and DMARC for holistic and efficient protection against phishing and spoofing of emails. DKIM digitally signs all outgoing emails, preventing malicious actors from altering messages in transit. When properly configured, DKIM adds a cryptographic signature to outgoing emails, which helps recipients to verify their authenticity. 

In this guide, we’ll walk you through the step-by-step process of enabling DKIM for your Microsoft 365 domain to enhance email security, improve deliverability, and strengthen your domain’s reputation. Let’s get started!

DKIM for MOERA users

If you are a Microsoft Online Email Routing Address or MOERA domain user, then you don’t have to worry about DKIM configurations. This is because Microsoft itself takes care of MOERA domains using 2048-bit strong public and private keys. All the outgoing emails are signed using this cryptographically secured key pair that helps the receiving server verify if someone has tampered with the email content in transit.

domain’s reputation

DKIM for custom domain users

Microsoft automatically signs outgoing emails, but you still have to ensure the following for optimum protection against email-based menaces-

  • For DKIM authentication to succeed under DMARC, the domain used to sign the email must match the domain in the From address.
  • When using third-party email providers (such as bulk mailing services), configure DKIM on a subdomain instead of the primary domain. This helps safeguard your main domain’s reputation from potential issues with these services. Keep in mind that each domain requires a separate DKIM setup.
  • Avoid publishing DKIM records for unused or parked domains, as this could allow attackers to exploit them for spoofed emails that pass DKIM validation.
  • For comprehensive email security, implement SPF and DMARC alongside DKIM to create a robust authentication framework for your domain.
email security

Configuring DKIM signing in Microsoft 365

If you enable DKIM signing for a custom domain, the signing process switches from using the .onmicrosoft domain to the custom domain. For this process, you can use a domain or subdomain.

Before proceeding with the steps, ensure that your custom domain or subdomain appears in the DKIM tab of the email authentication settings page.

Verify DKIM Settings in the Details Flyout

When you access the details flyout, check for the following:

  • The ‘Sign messages for this domain with DKIM signatures’ toggle should be set to Disabled.
  • The ‘Status’ should display ‘Not signing DKIM signatures for this domain.’
  • The ‘Create DKIM keys’ option should not be visible.
  • The ‘Rotate DKIM keys’ option should be present but grayed out.

If everything matches, proceed with the next steps.

email authentication

Enable DKIM in the Defender Portal

  1. Open the Defender portal.
  2. Navigate to Email & collaboration > Policies & rules > Threat policies > Email Authentication Settings.
  3. Click on the DKIM tab and select the custom domain you want to configure by clicking anywhere in the row (except the checkbox).
  4. In the details flyout, locate the ‘Sign messages for this domain with DKIM signatures’ toggle, which is currently set to ‘Disabled.’ Also, take note of the ‘Last checked date.’
  5. An error message will appear, displaying the values needed to create two CNAME records at your domain registrar.

Then, you need to create the following CNAME records for your domain. 

CNAME record

Hostname: selector1._domainkey

Points to address or value: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com

Hostname: selector2._domainkey

Points to address or value: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com

  1. Copy the details from the error dialog and click ‘OK.’
  2. Keep the domain details flyout open.
  3. In a new browser tab or window, go to your domain registrar’s platform and create two CNAME records using the copied information.
  4. Wait a few minutes to allow Microsoft to detect the newly added CNAME records.
  5. Return to the details flyout from step 5 and enable the ‘Sign messages for this domain with DKIM signatures’ toggle.
  6. A confirmation dialog box will appear—click ‘OK’ to close it.
  7. In the details flyout, verify the following:
  • The ‘Sign messages for this domain with DKIM signatures’ toggle is now Enabled.
  • The Status displays ‘Signing DKIM signatures for this domain.’
  • The ‘Rotate DKIM keys’ option is now available and no longer grayed out.
  • The ‘Last checked date’ has been updated from what you noted earlier.

Configuring DKIM for Microsoft can get confusing. Contact us for help. 

Similar Posts

Setting SPF, DKIM, and DMARC for Omnisend

ByBrad Slavin

Omnisend users who don’t have SPF, DKIM, and DMARC protocols in place are in for a problem. Their emails are highly likely to be blocked, hindering communication and operations. With these three email authentication protocols in place, users comply with Omnisend’s requirements and keep their brand names out of phishing and spoofing reports.  No matter…

Fixing DMARC Enforcement For Smaller and Emerging Brands

Fixing DMARC Enforcement For Smaller and Emerging Brands

ByBrad Slavin

Sometimes, even illegitimate emails pass the DMARC check, and that’s because of the lack of enforcement controls by the domain owners. This is one of the primary cybersecurity vulnerabilities that allow cybercriminals to fool people through phishing emails.  In October 2022, phishing attacks targeted nearly 600 brand names globally. Microsoft, Google, and Yahoo emerged as…

Banks Drop OTPs, Major Cyber Heist, Spying Spouses Arrested

ByBrad Slavin

Digitization and cybersecurity go hand in hand. They are like the two sides of the same coin. If you wish to reap the benefits of digital advancements, then you must educate yourself about cybercrimes and threat actors. The implementation of SPF, DKIM, and DMARC helps mitigate risks like cyber heists and privacy breaches, enhancing email security…

RFC 5322 laid down email security specifications for Sender Policy Framework 

ByBrad Slavin

RFC 5322 defines the syntax for Internet email headers. SPF, DKIM, and DMARC rely on these headers to authenticate emails and prevent phishing. Published in October 2008 as an update to RFC 2822, RFC 5322 is widely used for formatting email headers and bodies.  RFC 5322 doesn’t say anything about how SPF should be set…

Cybersecurity News – Exchange Zero-Days Evaded, Fake Email Scam, Report Teams Phishing

ByBrad Slavin

As ISPs adopt stricter email policies, senders without authentication will face difficulties with email deliveries; this is especially impactful for smaller businesses that rely on shared IPs. Even with robust email authentication standards, threat actors find workarounds to target businesses through email-borne threats. Here are the latest news headlines to keep you updated on these…