Read time: 5 minutes

Summary: In the battle against rising cyber threats, implementing DKIM in Microsoft 365 is crucial to protect against email spoofing and phishing attacks. DKIM (DomainKeys Identified Mail) adds digital signatures to outbound emails, ensuring legitimacy. This article outlines the steps to set up DKIM for Microsoft 365 and emphasizes its role in email security.

In today’s digital landscape, the surge in cyber threats poses a significant challenge for mail administrators. This ongoing battle has intensified due to the proliferation of phishing campaigns launched by attackers. Fortunately, technological advancements have introduced new standards to bolster protection against these malicious endeavors.

In safeguarding against various cyber threats, such as email spoofing and phishing attacks, it is imperative for every organization to implement DKIM within Microsoft 365. As email usage and capabilities continue to expand, configuring this protocol in Microsoft 365 becomes crucial to verify the legitimacy of incoming mail. DKIM (DomainKeys Identified Mail), part of the trio of authentication protocols alongside SPF and DMARC, involves adding a digital signature to all outgoing email messages. The recipient’s server then verifies these signatures to authenticate the sender’s domain. Additionally, DKIM employs a private key to encrypt the email header of outbound messages.

This protocol can sometimes result in the sender’s emails being redirected to spam or junk folders, typically occurring when the sender’s domain fails to pass the authentication tests.

Setup DKIM for Microsoft 365

The configuring of the specific protocol to Microsoft 365 doesn’t require in the below two cases:

  • Using the default domain.
  • You have only one custom domain.

If your situation doesn’t fall into the categories mentioned above, you can manually configure it in Microsoft 365. This process involves several steps, such as creating two DKIM records, publishing them for your custom domain in DNS, and enabling the signing.

Create DKIM records for Microsoft 365

Creating records for this specific protocol is crucial as it associates an alias name with a particular domain name. To set up a custom domain, you need to create records that link back to the initial domain. These records follow this format:

Host name: selector1._domainkey.CompanyDomainName
Points to:
Host name: selector2._domainkey.CompanyDomainName
Points to:

If the company domain is, you need to create below two records:

Host name:
Points to:
Host name:
Points to:
Publish DKIM records in DNS

When adding a custom domain alongside the default domain, it’s necessary to publish two records for the custom domain. To achieve this, follow the format below for these records:

Host name: selector1._domainkey
Points to address or value: selector1-._domainkey.
TTL: 3600
Host name: selector2._domainkey
Points to address or value: selector2-._domainkey.
TTL: 3600
Enable DKIM signing

After completing the previous steps, it’s time to enable signing in Microsoft 365. You can achieve this using one of two methods: Microsoft 365 Defender or PowerShell.

Enable DKIM signing using Microsoft 365 Defender portal

If you want to enable this signing using the Defender portal, you must follow the below steps:

  • Enter the URL to login to Microsoft 365 Defender portal. Click on Email & Collaboration -> Policies & Rules -> Threat policies -> Email
    Authentication Settings -> DKIM. You can also browse to go directly to the specific page.Sign messages for this domain with DKIM signatures
  • Next, click on the domain you want to enable.Authentication Settings
  • Finally, change the Sign messages for this domain with DKIM signatures to Enabled.Click on the domain

If you receive error messages while enabling the signing using the Microsoft 365 Defender portal, another method is also available, i.e., PowerShell.

Enable DKIM signing using PowerShell

You can also use PowerShell to enable signing in Microsoft 365. For this, you must follow the below steps:

  • First, connect to Exchange Online PowerShell and run the below command:
    Set-DkimSigningConfig -Identity -Enabled $true
  • Here, Domain refers to your custom domain name for which you want to enable signing.
    For example: If the company domain is, you must run the below command:

    Set-DkimSigningConfig -Identity -Enabled $true
Confirm DKIM signing is configured properly for Microsoft 365
  • You need to wait for sometimes after performing the above steps to save the changes. After that, ensure that the signing has successfully been configured to Microsoft 365:
  • Send an email from the specific account for which you just enabled signing to another email account. If it transfers successfully, it means that signing has been configured to Microsoft 365.
  • AOL account may skip the DKIM check. Hence, you should not use it for testing purposes.
  • Look at the header in the specific message. If it has successfully been enabled, you can see the hostname and domain in the message.
  • Look at the Authentication-Results header; it should include DKIM = pass or OK.


Many organizations implement this protocol in Microsoft 365 to secure mail delivery to client and customer mailboxes. You may have noticed that some incoming emails from a specific domain end up in your spam or junk folder. Ever wondered what causes this? Well, it’s this protocol at work. It comes into play when the domain of the incoming mail fails the authentication tests. You can consider it as an effective authentication method to secure Office 365 mailboxes.

Before implementing this authentication protocol in Microsoft 365, it’s advisable to back up your mailboxes to safeguard against data loss. You can utilize a reliable tool like Kernel Office 365 Backup & Restore capable of backing up your private mailboxes, shared mailboxes, archive mailboxes, and Microsoft 365 groups. With this, you can rest assured that your data can be easily restored in case of data loss.