By default Microsoft will only enable DKIM signing on your “Initial Domain”
Why use DKIM when you already utilize SPF? It’s simple! They will work in tandem.
SPF adds information to a message envelope but DKIM actually encrypts a signature within the message header.
When you first sign up as a Tenant within Microsoft Office 365 you are greeted with an “Initial domain” that ends in .onmicrosoft.com – For example, mine is D3V1N.OnMicrosoft.com
As you go through the verification process to verify the domains you own, or purchase domains from Microsoft or Microsoft Partners, you will see your domain(s) start populating in your Microsoft 365 Admin Center
Once your domain has been verified, you can start the process of using DKIM
In this guide we will keep it simple – We will utilize the Microsoft Office 365 Admin Center to change the DKIM settings, however an alternative method exists in which you can use PowerShell to accomplish the same end goal.
- Navigate to your Domain DNS settings – In this case I am hosting this website with GoDaddy. We will be adding two CNAME records to our domains DNS.
Generic - Please Refine to fit your domain!
Hostname Points To Address TTL selector1._domainkey. selector1-domainGUID._domainkey.initialDomain 3600 (1 Hour) selector2._domainkey. selector2-domainGUID._domainkey.initialDomain 3600 (1 Hour)
- Domain: Your domain name
- domainGUID: domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com (HINT: Check your DNS records for MX entries)
- initialDomain: The domain you created when joining O365 – Look for the OnMicrosoft domain!
- Here is my configuration for D3V1N.NET as an example:
D3V1N.NET Specific DNS Settings
Hostname Points To Address TTL selector1._domainkey.d3v1n.net selector1-d3v1n-net._domainkey.d3v1n.onmicrosoft.com 3600 (1 Hour) selector2._domainkey.d3v1n.net selector2-d3v1n-net._domainkey.d3v1n.onmicrosoft.com 3600 (1 Hour)
- BREAK! You may need to wait up to 48 Hours for DNS to update – Once you verify DNS has been updated, proceed to the next step.
- In the left navigation, expand Admin and choose Exchange.
- Go to Protection > dkim.
- Select the domain for which you want to enable DKIM by left clicking it, and on the right you should see “Sign messages for this domain with DKIM signatures” – choose Enable.
Send an email to an outside domain in which you can receive it to inspect the message header to verify DKIM is working!