Always Beyond Team
Managed IT Services

Setting up o365 dkim is one of the most effective steps you can take to protect your business email from spoofing and phishing attacks. DKIM, or DomainKeys Identified Mail, adds a cryptographic signature to every outbound message, giving receiving mail servers a way to verify that your emails are legitimate. For small and mid-sized businesses running Microsoft 365, getting this configuration right can mean the difference between emails landing in the inbox and getting flagged as spam. This guide walks you through the entire process clearly and without unnecessary jargon.
DKIM is an email authentication standard that uses a pair of cryptographic keys — one private key that signs outgoing messages on your mail server, and one public key published in your DNS records that receiving servers use to verify those signatures. When a recipient's mail server gets a message from your domain, it looks up your public key in DNS and checks whether the signature in the email header matches. If it does, the message passes DKIM authentication and is far more likely to be delivered successfully. If it does not match — or if there is no signature at all — the receiving server may treat the message with suspicion or reject it outright.
Beyond deliverability, DKIM plays a critical role in your overall email security posture. It works alongside SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to form a layered defense against email fraud. Without DKIM, bad actors can more easily impersonate your domain, sending phishing emails that appear to come from your organization. For businesses that rely on email to communicate with customers, vendors, and partners, that kind of impersonation can cause serious reputational and financial damage.
Microsoft 365 actually applies a default level of DKIM signing to all outbound email, but it does so using Microsoft's own domain rather than your custom domain. This means that even without any configuration on your part, your emails carry some form of DKIM signature — but it is tied to a Microsoft subdomain like yourdomain.onmicrosoft.com rather than yourdomain.com. While this offers a baseline level of authentication, it is not sufficient for a professional setup and does not satisfy DMARC alignment requirements, which need the signing domain to match your From address domain.
When you enable custom DKIM signing in Microsoft 365, the platform generates a unique 2048-bit RSA key pair for your domain. Microsoft stores the private key securely within its infrastructure and uses it to sign every outbound message. Your job is to publish the corresponding public key in your domain's DNS as a CNAME record pointing back to Microsoft's key servers. Once those DNS records propagate and you activate DKIM in the Microsoft 365 Defender portal, every email sent from your domain will carry a verifiable signature that receiving mail servers can trust. This alignment between your sending domain and your DKIM signature is what makes the authentication meaningful.
| Feature | SPF | DKIM | DMARC |
|---|---|---|---|
| What It Authenticates | The sending server's IP address | The message content and sending domain | Alignment of SPF and DKIM with the From domain |
| DNS Record Type | TXT record | CNAME records (in Microsoft 365) | TXT record |
| Protects Against Spoofing | Partially | Yes, with cryptographic signing | Yes, with policy enforcement |
| Survives Email Forwarding | No — forwarded mail often breaks SPF | Usually yes, if headers are intact | Depends on which mechanism passes |
| Required for DMARC Alignment | Yes (one of two options) | Yes (one of two options) | N/A — DMARC is the enforcement layer |
No, you do not need to disable anything before setting up custom DKIM signing. When you enable DKIM for your custom domain in the Microsoft 365 Defender portal, Microsoft automatically switches from its default onmicrosoft.com signing to your custom domain signing. The two configurations do not conflict with each other, and the transition happens seamlessly once your DNS records are in place and DKIM is toggled on.
If your CNAME records contain errors — such as a typo in the host name or an incorrect value — Microsoft will not be able to verify them, and DKIM signing will either fail to activate or will stop working if records are changed after initial setup. Receiving mail servers may then fail DKIM checks on your outbound messages, which can hurt deliverability and trigger spam filters. Always double-check the exact values provided in the Defender portal and use a DNS lookup tool to confirm the records are resolving to the correct destination before enabling DKIM.
Unfortunately, no — adding the required CNAME records to your domain's DNS is a mandatory part of the process, and there is no workaround that allows you to skip it. You will need either direct access to your DNS management console or assistance from whoever manages your domain registration. If your IT provider or web developer controls your DNS, simply share the two CNAME record values from the Microsoft 365 Defender portal and ask them to add the records on your behalf.
Once you have added the CNAME records to your DNS and enabled DKIM in the Defender portal, signing typically begins within minutes for new outbound messages. However, DNS propagation can take anywhere from a few minutes to 48 hours depending on your registrar and TTL settings, so you may not be able to activate DKIM immediately after adding the records. The safest approach is to add the DNS records first, wait for full propagation confirmed by a tool like MXToolbox, and then return to the portal to enable signing.
No, DKIM authentication happens entirely behind the scenes in the email headers and is completely invisible to end users. Recipients will not see any change in how your emails appear in their inbox — no additional banners, labels, or indicators are added by DKIM itself. The benefit is indirect: your emails are more likely to reach the inbox rather than the spam folder, and email clients like Gmail may display a verified sender checkmark in certain contexts when both DKIM and DMARC are properly configured for your domain.
If configuring o365 dkim feels overwhelming or you are unsure whether your current email authentication setup is complete and correctly aligned, the team at Always Beyond is here to help. We work with SMBs every day to implement and audit Microsoft 365 security configurations, including DKIM, SPF, and DMARC, so your email reaches the right people and your domain stays protected. Reach out and contact Always Beyond today.
See exactly how your current IT setup measures up to our Hack Free standards. Enter your business email to receive: