DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Microsoft 365, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Microsoft 365 uses to sign.
Most ESPs (including Microsoft 365) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
CNAME- Host
selector1._domainkey- Value
selector1-<your-domain-with-hyphens>._domainkey.<tenant>.onmicrosoft.com
- Type
CNAME- Host
selector2._domainkey- Value
selector2-<your-domain-with-hyphens>._domainkey.<tenant>.onmicrosoft.com
- Both selectors are required. Microsoft rotates keys between selector1 and selector2; if only one is published, mail signed with the rotated selector will fail DKIM.
- Replace `<your-domain-with-hyphens>` with your domain with dots replaced by hyphens (e.g. `example-com` for `example.com`). Replace `<tenant>` with your Microsoft 365 tenant name.
- After publishing, enable DKIM signing in the Defender portal. Until you flip the switch, the CNAMEs exist but Microsoft doesn't sign outbound mail.
Where in Microsoft 365
The DKIM configuration lives in Microsoft 365 Defender → Policies & rules → Threat policies → Email authentication settings.
Verify the records
After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.
dig +short TXT <selector>._domainkey.your-domain.comCommon pitfalls
- Forgetting to enable DKIM signing in the Defender portal after publishing the CNAMEs is the single most common Microsoft 365 setup error.
- Older Microsoft documentation references `selector1` only — both `selector1` and `selector2` are required as of 2023.
- If you use Microsoft 365 as your inbound mail (MX) and a separate ESP for marketing, the SPF record above is for outbound through Microsoft only. Marketing mail needs its own `include:` merged in.
- The `<tenant>` value is your initial `*.onmicrosoft.com` name (set when the tenant was created), not your custom domain. To confirm it, run `Get-DkimSigningConfig -Identity your-domain.com | Format-List Selector1CNAME,Selector2CNAME` in Exchange Online PowerShell — the right-hand side of those values is exactly what to paste into DNS.
- If you previously published `selector1._domainkey` as a TXT record (some old guides used raw keys), delete it before publishing the CNAME. A CNAME at a host with any other record type is invalid and DNS providers will reject or silently drop one of them.
Frequently asked questions
Why does Microsoft 365 use two DKIM selectors?
Microsoft rotates the signing key between `selector1` and `selector2` automatically so keys don't stay static for years. At any given moment one selector is active and the other is the next-to-be-used backup. If you publish only one CNAME, every message signed with the rotated selector will fail DKIM until you publish the missing record — usually 2–4 weeks of intermittent failures before anyone notices.
What do I replace `<tenant>` and `<your-domain-with-hyphens>` with?
`<tenant>` is your Microsoft 365 initial domain (the `*.onmicrosoft.com` name created when the tenant was provisioned, e.g. `contoso.onmicrosoft.com`). `<your-domain-with-hyphens>` is your custom domain with dots replaced by hyphens — `example.com` becomes `example-com`. The simplest way to get the exact values is to open Microsoft Defender → Email authentication settings → DKIM → select your domain → the portal shows both CNAME hostnames and targets verbatim.
Why is DKIM still failing after I published the CNAMEs?
Three usual causes: (1) you haven't toggled the `Sign messages for this domain with DKIM signatures` switch in the Defender portal — the records exist but Microsoft isn't signing yet; (2) DNS propagation hasn't completed for the CNAME targets (check with `dig +short CNAME selector1._domainkey.your-domain.com` from a public resolver); (3) you have a stale TXT record at the same `_domainkey` host conflicting with the CNAME. Fix the conflict, wait an hour, retry the enable button.
Do I need to set up DKIM for my `*.onmicrosoft.com` domain?
No — Microsoft handles DKIM for the initial `*.onmicrosoft.com` tenant domain automatically and you can't change those records. DKIM configuration is only needed for custom domains you've added to the tenant. If your `From:` address uses your custom domain, that's the domain that needs the two CNAMEs.
How do I rotate DKIM keys in Microsoft 365?
Run `Rotate-DkimSigningConfig -Identity your-domain.com` in Exchange Online PowerShell, or click `Rotate DKIM keys` in the Defender portal. Microsoft generates fresh 2048-bit keys behind the existing selector CNAMEs — your DNS doesn't need to change because the CNAMEs point at Microsoft-hosted key records, not the keys themselves. New rotations are limited to roughly once per week.
Is 1024-bit or 2048-bit DKIM better for Microsoft 365?
Use 2048-bit. Microsoft defaults new domains to 2048-bit as of late 2023; the only reason to drop to 1024-bit is a DNS provider that can't handle the longer TXT value, which is rare for the CNAME-based setup since the long key text lives on Microsoft's side. Major receivers (Gmail, Yahoo) prefer 2048-bit.
Want to know if it actually keeps working?
MailerMonk continuously watches your DKIM record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.
Start free trialAbout the author
Other records for Microsoft 365
DKIM setup for other ESPs
- workspace.google.comDKIM for Google Workspace
- sendgrid.comDKIM for SendGrid
- mailgun.comDKIM for Mailgun
- aws.amazon.comDKIM for Amazon SES