Always Beyond White Icon Logo Small
Is Your Business Secure?
Take our FREE 2-minute IT Security Scorecard and get instant insights—no strings attached.
👉 Start Assessment
Insights & Guides
Everyday Tech Tips

How to Set Up DKIM for Office 365 (Step-by-Step)

Setting up o365 dkim is one of the most effective steps you can take to protect your business email from spoofing and phishing attacks.
Jul 05, 2026
8 min read
o365 dkim guide for IT professionals and SMBs

Introduction

Setting up o365 dkim is one of the most effective steps you can take to protect your business email from spoofing and phishing attacks. DKIM, or DomainKeys Identified Mail, adds a cryptographic signature to every outbound message, giving receiving mail servers a way to verify that your emails are legitimate. For small and mid-sized businesses running Microsoft 365, getting this configuration right can mean the difference between emails landing in the inbox and getting flagged as spam. This guide walks you through the entire process clearly and without unnecessary jargon.

What DKIM Actually Does for Your Email

DKIM is an email authentication standard that uses a pair of cryptographic keys — one private key that signs outgoing messages on your mail server, and one public key published in your DNS records that receiving servers use to verify those signatures. When a recipient's mail server gets a message from your domain, it looks up your public key in DNS and checks whether the signature in the email header matches. If it does, the message passes DKIM authentication and is far more likely to be delivered successfully. If it does not match — or if there is no signature at all — the receiving server may treat the message with suspicion or reject it outright.

Beyond deliverability, DKIM plays a critical role in your overall email security posture. It works alongside SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to form a layered defense against email fraud. Without DKIM, bad actors can more easily impersonate your domain, sending phishing emails that appear to come from your organization. For businesses that rely on email to communicate with customers, vendors, and partners, that kind of impersonation can cause serious reputational and financial damage.

How Microsoft 365 Handles the Signing Process

Microsoft 365 actually applies a default level of DKIM signing to all outbound email, but it does so using Microsoft's own domain rather than your custom domain. This means that even without any configuration on your part, your emails carry some form of DKIM signature — but it is tied to a Microsoft subdomain like yourdomain.onmicrosoft.com rather than yourdomain.com. While this offers a baseline level of authentication, it is not sufficient for a professional setup and does not satisfy DMARC alignment requirements, which need the signing domain to match your From address domain.

When you enable custom DKIM signing in Microsoft 365, the platform generates a unique 2048-bit RSA key pair for your domain. Microsoft stores the private key securely within its infrastructure and uses it to sign every outbound message. Your job is to publish the corresponding public key in your domain's DNS as a CNAME record pointing back to Microsoft's key servers. Once those DNS records propagate and you activate DKIM in the Microsoft 365 Defender portal, every email sent from your domain will carry a verifiable signature that receiving mail servers can trust. This alignment between your sending domain and your DKIM signature is what makes the authentication meaningful.

Step-by-Step Guide

  1. Access the Microsoft 365 Defender Portal: Navigate to security.microsoft.com and sign in with a global administrator or security administrator account. Once inside, go to Email and Collaboration, then Policies and Rules, then Threat Policies, and finally the Email Authentication Settings section where DKIM is managed.
  2. Select the Domain You Want to Configure: In the DKIM page, you will see a list of all domains associated with your Microsoft 365 tenant. Click on the custom domain you want to enable DKIM for — this should be your primary sending domain, such as yourbusiness.com, not the default onmicrosoft.com domain.
  3. Generate the DKIM Keys and Retrieve the CNAME Records: When you select your domain and attempt to enable DKIM, Microsoft will display two CNAME records that you need to add to your DNS. These records will look something like selector1._domainkey.yourdomain.com pointing to selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com — copy both records carefully and keep them ready for the next step.
  4. Log In to Your DNS Provider and Add the CNAME Records: Access the DNS management console for your domain, which might be hosted at GoDaddy, Cloudflare, Namecheap, or another registrar. Create two new CNAME records using exactly the host names and values provided by Microsoft, making sure there are no extra spaces or characters that could cause the records to fail validation.
  5. Wait for DNS Propagation: After saving the CNAME records, allow time for the changes to propagate across the internet — this typically takes between 15 minutes and 72 hours depending on your DNS provider and the TTL settings on your records. You can check propagation progress using a tool like MXToolbox or dnschecker.org to confirm the records are resolving correctly before proceeding.
  6. Enable DKIM Signing in the Defender Portal: Return to the DKIM settings page in the Microsoft 365 Defender portal, select your domain again, and toggle DKIM signing to enabled. Microsoft will verify that your CNAME records are in place before activating signing — if the records have not propagated yet, you will see an error and will need to wait and try again.
  7. Verify the Configuration Is Working Correctly: Send a test email from your Microsoft 365 account to a Gmail or Outlook.com address, then open the message and inspect the full email headers. Look for a DKIM-Signature header and confirm the domain in the d= field matches your custom domain, which confirms that o365 dkim signing is active and functioning as expected.

SPF, DKIM, and DMARC: Understanding How They Work Together

FeatureSPFDKIMDMARC
What It AuthenticatesThe sending server's IP addressThe message content and sending domainAlignment of SPF and DKIM with the From domain
DNS Record TypeTXT recordCNAME records (in Microsoft 365)TXT record
Protects Against SpoofingPartiallyYes, with cryptographic signingYes, with policy enforcement
Survives Email ForwardingNo — forwarded mail often breaks SPFUsually yes, if headers are intactDepends on which mechanism passes
Required for DMARC AlignmentYes (one of two options)Yes (one of two options)N/A — DMARC is the enforcement layer

Best Practices

  • Use 2048-Bit Keys: Microsoft 365 defaults to 2048-bit RSA keys for DKIM, which is the current recommended minimum — avoid any legacy configurations that use 1024-bit keys, as they are considered weak by modern standards.
  • Enable DKIM on All Sending Domains: If your organization sends email from multiple custom domains, make sure you configure DKIM for each one individually rather than assuming the default Microsoft signing is sufficient for secondary domains.
  • Pair DKIM With a DMARC Policy: DKIM alone does not prevent spoofed emails from reaching recipients — you need a DMARC record with at least a p=quarantine or p=reject policy to instruct receiving servers on what to do when authentication fails.
  • Rotate Keys Periodically: Microsoft 365 allows you to rotate your DKIM keys using the Rotate-DkimSigningConfig PowerShell command, and doing this annually reduces the risk of a compromised private key being used against you without your knowledge.
  • Monitor DMARC Reports: Once DKIM and DMARC are in place, set up a DMARC reporting inbox or use a service like Postmark or Valimail to receive and interpret aggregate reports, which will show you whether any unauthorized sources are sending email on behalf of your domain.

Frequently Asked Questions

Do I Need to Disable the Default Microsoft DKIM Signing First?

No, you do not need to disable anything before setting up custom DKIM signing. When you enable DKIM for your custom domain in the Microsoft 365 Defender portal, Microsoft automatically switches from its default onmicrosoft.com signing to your custom domain signing. The two configurations do not conflict with each other, and the transition happens seamlessly once your DNS records are in place and DKIM is toggled on.

What Happens If My CNAME Records Are Entered Incorrectly?

If your CNAME records contain errors — such as a typo in the host name or an incorrect value — Microsoft will not be able to verify them, and DKIM signing will either fail to activate or will stop working if records are changed after initial setup. Receiving mail servers may then fail DKIM checks on your outbound messages, which can hurt deliverability and trigger spam filters. Always double-check the exact values provided in the Defender portal and use a DNS lookup tool to confirm the records are resolving to the correct destination before enabling DKIM.

Can I Set Up DKIM Without Access to My DNS Provider?

Unfortunately, no — adding the required CNAME records to your domain's DNS is a mandatory part of the process, and there is no workaround that allows you to skip it. You will need either direct access to your DNS management console or assistance from whoever manages your domain registration. If your IT provider or web developer controls your DNS, simply share the two CNAME record values from the Microsoft 365 Defender portal and ask them to add the records on your behalf.

How Long Does It Take for DKIM to Start Working After I Enable It?

Once you have added the CNAME records to your DNS and enabled DKIM in the Defender portal, signing typically begins within minutes for new outbound messages. However, DNS propagation can take anywhere from a few minutes to 48 hours depending on your registrar and TTL settings, so you may not be able to activate DKIM immediately after adding the records. The safest approach is to add the DNS records first, wait for full propagation confirmed by a tool like MXToolbox, and then return to the portal to enable signing.

Does Enabling DKIM Affect How Emails Look to Recipients?

No, DKIM authentication happens entirely behind the scenes in the email headers and is completely invisible to end users. Recipients will not see any change in how your emails appear in their inbox — no additional banners, labels, or indicators are added by DKIM itself. The benefit is indirect: your emails are more likely to reach the inbox rather than the spam folder, and email clients like Gmail may display a verified sender checkmark in certain contexts when both DKIM and DMARC are properly configured for your domain.

If configuring o365 dkim feels overwhelming or you are unsure whether your current email authentication setup is complete and correctly aligned, the team at Always Beyond is here to help. We work with SMBs every day to implement and audit Microsoft 365 security configurations, including DKIM, SPF, and DMARC, so your email reaches the right people and your domain stays protected. Reach out and contact Always Beyond today.

On this page

Ready to Make IT One Less Thing to Worry About?

Book a no-pressure consultation to see how Always Beyond can help you simplify, secure, and future-proof your IT.

See exactly how your current IT setup measures up to our Hack Free standards. Enter your business email to receive:

  • Free 10-point security scorecard for your business
  • Complete Hack Free Guarantee eligibility checklist
  • Exclusive case studies from our protected clients