Use DKIM to validate outbound email sent from your domain in Office 365

To configure DKIM, you will complete these steps:

Publish two CNAME records for your domain in DNS
For each domain for which you want to add a DKIM signature in DNS, you need to publish two CNAME records. A CNAME record is used by DNS to specify that the canonical name of a domain is an alias for another domain name.

Office 365 performs automatic key rotation using the two records that you establish. If you have provisioned additional domains in Office 365, you must publish two CNAME records for each additional domain. So, if you have two domains, you must publish four total CNAME records, and so on.

Use the following format for the CNAME records:

Host name:			selector1._domainkey.<domain>
Points to address or value:	selector1-<domainGUID>._domainkey.<initialDomain> 
TTL:				3600

Host name:			selector2._domainkey.<domain>
Points to address or value:	selector2-<domainGUID>._domainkey.<initialDomain> 
TTL:				3600


  • For Office 365, the selectors will always be "selector1" or "selector2".

  • domainGUID is the same as the domainGUID in the customized MX record for your domain that appears before For example, in the following MX record for the domain, the domainGUID is contoso-com:

  3600  IN  MX   5
  • initialDomain is the domain that you used when you signed up for Office 365. For information about determining your initial domain, see About your initial domain in Office 365.


For example, if you have an initial domain of, and two additional domains and, you would need to set up two CNAME records for the initial domain and two CNAME records for each additional domain, for a total of six CNAME records. 

Host name:  
Points to address or value:
TTL:				3600

Host name:  
Points to address or value:
TTL:				3600

Host name:  
Points to address or value:
TTL:				3600

Host name:  
Points to address or value:
TTL:				3600

Host name:
Points to address or value: 
TTL:				3600
Host name:
Points to address or value: 
TTL:				3600
Enable DKIM signing for your domain in Office 365
Once you have published the CNAME records in DNS, you are ready to enable DKIM signing through Office 365. You can do this either through the Office 365 admin center or by using Windows PowerShell.
  1. Sign in to Office 365 with your work or school account.

  2. Select the app launcher icon in the upper-left and choose Admin.

  3. In the lower-left navigation, expand Admin and choose Exchange.

  4. Go to Protection > dkim.

  5. Select the domain for which you want to enable DKIM and then, for Sign messages for this domain with DKIM signatures, choose Enable. Repeat this step for each domain.

  1. Connect to Exchange Online using remote PowerShell.

  2. Run the following cmdlet:

    New-DkimSigningConfig -DomainName <domain> -Enabled $true

    Where domain is the name of the domain for which you want to enable DKIM signing.

    For example, for the domain

    New-DkimSigningConfig -DomainName -Enabled $true
To Confirm DKIM signing is configured properly for Office 365
Wait a few minutes before you follow these steps to confirm that you have properly configured DKIM. This allows time for the DKIM information about the domain to be spread throughout the network.
  • Send a message from an account within your Office 365 DKIM-enabled domain to another email account such as or

  • Do not use an account for testing purposes. AOL may skip the DKIM check if the SPF check passes. This will nullify your test.

  • Open the message and look at the header. Instructions for viewing the header for the message will vary depending on your messaging client.

    The DKIM-signed message will contain the host name and domain you defined when you published the CNAME entries. The message will look something like this example:

    From: Example User <> 
    DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; 
        s=selector1;; t=1429912795; 
        bh=<body hash>; 
        b=<signed field>;
  • Look for the Authentication-Results header. While each receiving service uses a slightly different format to stamp the incoming mail, the result should include something like DKIM=pass or DKIM=OK.

To configure more than one domain for DKIM in Office 365
If at some point in the future you decide to add another domain and you want to enable DKIM for the new domain, you must complete the steps in this article for each domain. Specifically, complete all steps in What you need to do to manually set up DKIM in Office 365.
Set up DKIM so that a third-party service can send, or spoof, email on behalf of your domain
Some bulk email service providers, or software-as-a-service providers, let you set up DKIM keys for email that originates out of their service. This requires co-ordination between yourself and the third-party in order to set up the necessary DNS records. No two organizations do it exactly the same way. Instead, the process depends entirely on the organization.

An example message showing a properly configured DKIM for and might look like the following:

Return-Path: <>
 From: <>
 DKIM-Signature: s=s1024;
 Subject: Here is a message from Bulk Email Provider's infrastructure, but with a DKIM signature authorized by

In this example, in order to achieve this result:

  1. Bulk Email Provider gave Contoso a public DKIM key.

  2. Contoso published the DKIM key to its DNS record.

  3. When sending email, Contoso signed the key with the corresponding private key. By doing so, Contoso attached the DKIM signature to the message header.

  4. Receiving email systems perform a DKIM check by authenticating the DKIM-Signature d=<domain> value against the domain in the From: (5322.From) address of the message. In this example, the values match:

Next steps: After you set up DKIM for Office 365
Although DKIM is designed to help prevent spoofing, DKIM works better with SPF and DMARC. Once you have set up DKIM, if you have not already set up SPF you should do so. For a quick introduction to SPF and to get it configured quickly, see Set up SPF in Office 365 to help prevent spoofing. For a more in-depth understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing. Next, seeUse DMARC to validate email in Office 365. Anti-spam message headers includes the syntax and header fields used by Office 365 for DKIM checks.


For additional information, please refer to this Microsoft Link:




Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk