DKIM setup · Microsoft 365

    How to set up DKIM for Microsoft 365

    Microsoft 365 (Exchange Online) is the other major business mail platform. DKIM in Microsoft 365 uses two CNAMEs that point at Microsoft-hosted keys — different from Google's single-record approach.

    DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Microsoft 365, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Microsoft 365 uses to sign.

    Most ESPs (including Microsoft 365) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

    Publish these DNS records

    Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

    Type
    CNAME
    Host
    selector1._domainkey
    Value
    selector1-<your-domain-with-hyphens>._domainkey.<tenant>.onmicrosoft.com
    Type
    CNAME
    Host
    selector2._domainkey
    Value
    selector2-<your-domain-with-hyphens>._domainkey.<tenant>.onmicrosoft.com
    • Both selectors are required. Microsoft rotates keys between selector1 and selector2; if only one is published, mail signed with the rotated selector will fail DKIM.
    • Replace `<your-domain-with-hyphens>` with your domain with dots replaced by hyphens (e.g. `example-com` for `example.com`). Replace `<tenant>` with your Microsoft 365 tenant name.
    • After publishing, enable DKIM signing in the Defender portal. Until you flip the switch, the CNAMEs exist but Microsoft doesn't sign outbound mail.

    Where in Microsoft 365

    The DKIM configuration lives in Microsoft 365 Defender → Policies & rules → Threat policies → Email authentication settings.

    Verify the records

    After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

    From a terminal
    dig +short TXT <selector>._domainkey.your-domain.com
    → Run the free DKIM checker

    Common pitfalls

    • Forgetting to enable DKIM signing in the Defender portal after publishing the CNAMEs is the single most common Microsoft 365 setup error.
    • Older Microsoft documentation references `selector1` only — both `selector1` and `selector2` are required as of 2023.
    • If you use Microsoft 365 as your inbound mail (MX) and a separate ESP for marketing, the SPF record above is for outbound through Microsoft only. Marketing mail needs its own `include:` merged in.

    Want to know if it actually keeps working?

    MailerMonk continuously watches your DKIM record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.