Setting DKIM for Microsoft 365 domain

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding — which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail.

DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, CEO of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

					DMARC Report					

				

Setting DKIM for Microsoft 365 domain

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-23156">
						<source src="/images/wp/2025/03/Setting-DKIM-for-Microsoft-365-domain.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M16S">2:16</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-23156" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-23156" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-23156" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-23156" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/setting-dkim-for-microsoft-365-domain/&t=Setting DKIM for Microsoft 365 domain" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/setting-dkim-for-microsoft-365-domain/&url=Setting DKIM for Microsoft 365 domain" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="/images/wp/2025/03/Setting-DKIM-for-Microsoft-365-domain.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/setting-dkim-for-microsoft-365-domain/" class="input-link input-link-23156" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-23156" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="ZBMpeUoqSh"><a href="https://dmarcreport.com/blog/podcast/setting-dkim-for-microsoft-365-domain/">Setting DKIM for Microsoft 365 domain</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/setting-dkim-for-microsoft-365-domain/embed/#?secret=ZBMpeUoqSh" width="500" height="350" title=""Setting DKIM for Microsoft 365 domain" — DMARC Report" data-secret="ZBMpeUoqSh" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-23156” readonly/>

					<button class="copy-embed copy-embed-23156" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

Microsoft highly encourages its users to deploy DKIM in tandem with SPF and DMARC for **holistic and efficient protection against phishing and spoofing of emails. DKIM digitally signs all outgoing emails, preventing malicious actors from altering messages in transit. When properly configured, DKIM adds a cryptographic signature to outgoing emails, which helps recipients to verify their authenticity.

In this guide, we’ll walk you through the step-by-step process of enabling DKIM for your Microsoft 365 domain to enhance email security, improve deliverability, and strengthen your domain’s reputation. Let’s get started!

DKIM for MOERA users

If you are a Microsoft Online Email Routing Address or MOERA domain user, then you don’t have to worry about DKIM configurations. This is because Microsoft itself takes care of MOERA domains using 2048-bit strong public and private keys. All the outgoing emails are signed using this cryptographically **secured key pair **that helps the receiving server verify if someone has tampered with the email content in transit.

DKIM for custom domain users

**Microsoft automatically signs outgoing emails, but you still have to ensure the following for optimum protection against email-based menaces-

• For DKIM authentication to succeed under DMARC, the domain used to sign the email must match the domain in the From address.

• When using third-party email providers (such as bulk mailing services), configure DKIM on a subdomain instead of the primary domain. This helps safeguard your main domain’s reputation from potential issues with these services. Keep in mind that each domain requires a separate DKIM setup.

• Avoid publishing DKIM records for unused or parked domains, as this could allow attackers to exploit them for spoofed emails that pass DKIM validation.

• For comprehensive email security, implement SPF and DMARC alongside DKIM to create a robust authentication framework for your domain.

How Do You Configure DKIM signing in Microsoft 365?

If you enable DKIM signing for a custom domain, the signing process switches from using the .onmicrosoft domain to the custom domain . For this process, you can use a domain or subdomain.

Before proceeding with the steps, ensure that your custom domain or subdomain appears in the DKIM tab of the email authentication settings page.

Verify DKIM Settings in the **Details Flyout When you access the details flyout, check for the following:

• The ‘Sign messages for this domain with DKIM signatures’ toggle should be set to Disabled.

• The ‘Status’ should display ‘Not signing DKIM signatures for this domain.’

• The ‘Create DKIM keys’ option should not be visible.

• The ‘Rotate DKIM keys’ option should be present but grayed out.

If everything matches, proceed with the next steps.

Enable DKIM in the Defender Portal

• Open the Defender portal.

• Navigate to **Email & collaboration

Policies & rules > Threat policies > Email Authentication Settings**.

• Click on the DKIM tab and select the custom domain you want to configure by clicking anywhere in the row (except the checkbox).

• In the details flyout, locate the ‘Sign messages for this domain with DKIM signatures’ toggle, which is currently set to ‘Disabled.’ Also, take note of the ‘Last checked date.’

• An error message will appear, displaying the values needed to create two CNAME records at your domain registrar. Then, you need to create the following CNAME records for your domain.

**Hostname: **selector1.domainkey

Points to address or value: _selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com **Hostname: **selector2.domainkey

Points to address or value: _selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com

• Copy the details from the **error dialog and click ‘OK.’ - Keep the **domain details flyout open.

• In a new browser tab or window, go to your **domain registrar’s platform and create **two CNAME records using the copied information.

• Wait a few minutes to allow Microsoft to detect the newly added CNAME records.

• Return to the **details flyout from step 5 and enable the **‘Sign messages for this domain with **DKIM signatures’ toggle.

• A confirmation **dialog box will appear—click ‘OK’ to close it.

• In the details flyout, verify the following:

• The ‘Sign messages for this domain with DKIM signatures’ toggle is now Enabled.

• The **Status displays ‘Signing DKIM signatures for this domain.’ - The ‘Rotate DKIM keys’ option is now available and no longer grayed out.

• The ‘Last checked date’ has been updated from what you noted earlier.

Configuring DKIM for Microsoft can get confusing. Contact us for help.