Office365 – Use DKIM to validate outbound email

By default Microsoft will only enable DKIM signing on your “Initial Domain”

Why use DKIM when you already utilize SPF? It’s simple! They will work in tandem.

SPF adds information to a message envelope but DKIM actually encrypts a signature within the message header.

When you first sign up as a Tenant within Microsoft Office 365 you are greeted with an “Initial domain” that ends in – For example, mine is

As you go through the verification process to verify the domains you own, or purchase domains from Microsoft or Microsoft Partners, you will see your domain(s) start populating in your Microsoft 365 Admin Center

Once your domain has been verified, you can start the process of using DKIM

In this guide we will keep it simple – We will utilize the Microsoft Office 365 Admin Center to change the DKIM settings, however an alternative method exists in which you can use PowerShell to accomplish the same end goal.


Let’s begin!


  1. Navigate to your Domain DNS settings – In this case I am hosting this website with GoDaddy. We will be adding two CNAME records to our domains DNS.
  2. Generic - Please Refine to fit your domain!

    HostnamePoints To AddressTTL
    selector1._domainkey.selector1-domainGUID._domainkey.initialDomain 3600 (1 Hour)
    selector2._domainkey.selector2-domainGUID._domainkey.initialDomain3600 (1 Hour)
    Three things need to be changed to fit your domain: <domain> — <domainGUID> — <initialDomain>
    1. Domain: Your domain name
    2. domainGUID: domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before (HINT: Check your DNS records for MX entries)
    3. initialDomain: The domain you created when joining O365 – Look for the OnMicrosoft domain!
  3. Here is my configuration for D3V1N.NET as an example: 

    D3V1N.NET Specific DNS Settings

    HostnamePoints To AddressTTL
    selector1._domainkey.d3v1n.netselector1-d3v1n-net._domainkey.d3v1n.onmicrosoft.com3600 (1 Hour)
    selector2._domainkey.d3v1n.netselector2-d3v1n-net._domainkey.d3v1n.onmicrosoft.com3600 (1 Hour)
  4. BREAK! You may need to wait up to 48 Hours for DNS to update – Once you verify DNS has been updated, proceed to the next step.
  5. In the left navigation, expand Admin and choose Exchange.
  6. Go to Protection > dkim.
  7. Select the domain for which you want to enable DKIM by left clicking it, and on the right you should see “Sign messages for this domain with DKIM signatures” – choose Enable.


Send an email to an outside domain in which you can receive it to inspect the message header to verify DKIM is working!



No Fields Found.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.