Related Articles
- Configure Anti-Phishing Policies in Microsoft Defender for Office 365
- Enable and Configure Safe Links Policies
- Enable and Configure Safe Attachments Policies
- Configure Anti-Malware Policies in Microsoft 365
- Configure Spoof Intelligence and Anti-Spoofing Protection in Microsoft 365
- Enable DKIM for Exchange Online
- Disable Legacy Authentication for Exchange Online
- Using Preset Security Policies in Microsoft Defender for Office 365
Enable DKIM for Exchange Online
Enable DKIM for Exchange Online
Overview
DomainKeys Identified Mail (DKIM) is an email authentication mechanism that allows receiving mail servers to verify that an email message was sent by an authorized domain and has not been altered in transit.
Enabling DKIM for Exchange Online helps:
- Prevent outbound domain spoofing
- Improve domain reputation and deliverability
- Strengthen DMARC enforcement
- Increase recipient trust in your emails
If you are searching for:
- Enable DKIM Office 365
- Enable DKIM Exchange Online
This guide explains how to generate DKIM keys, add DNS records, enable DKIM per domain, and verify configuration.
Why DKIM Is Important
Without DKIM:
- Attackers can attempt to spoof your domain.
- Your emails may fail DMARC checks.
- Deliverability may suffer.
- Brand trust may decrease.
DKIM digitally signs outgoing emails using a private key. The recipient server validates the signature using a public key published in your DNS records.
When properly configured, DKIM ensures message integrity and domain authenticity.
Licensing Requirements
DKIM signing for Exchange Online is available in:
- Exchange Online (included in Microsoft 365)
- Microsoft 365 Business plans
- Microsoft 365 E3
- Microsoft 365 E5
No additional Defender license is required to enable DKIM signing.
How DKIM Works in Exchange Online
Exchange Online:
- Generates cryptographic key pairs.
- Uses the private key to sign outbound messages.
- Publishes the public key in DNS via CNAME records.
- Recipient mail servers validate the signature.
If the signature matches, the message is authenticated.
Step-by-Step: Enable DKIM for Exchange Online
Step 1: Identify Domains
DKIM must be enabled per domain.
To view accepted domains:
- Go to Microsoft 365 Admin Center.
- Navigate to Settings → Domains.
- Confirm domain is verified and active.
DKIM must be enabled for each custom domain individually.
Step 2: Generate DKIM Keys
-
Go to Microsoft 365 Defender Portal:
https://security.microsoft.com -
Navigate to:
Email & Collaboration → Policies & Rules → Threat Policies → DKIM -
Select your domain.
If DKIM is not configured, you will see an option to create keys.
Microsoft automatically generates:
- A private signing key (stored securely in Microsoft)
- A public key (to be published in DNS)
Step 3: Add DNS Records
Microsoft will provide two CNAME records.
They typically look like:
1selector1._domainkey.yourdomain.com → selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
2selector2._domainkey.yourdomain.com → selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.comAdd Records in Your DNS Provider
- Log in to your DNS hosting provider.
- Create two CNAME records.
- Copy values exactly as provided by Microsoft.
- Save changes.
DNS propagation may take up to 24 hours.
Step 4: Enable DKIM Signing Per Domain
Once DNS records are validated:
- Return to the DKIM section in Microsoft Defender.
- Select your domain.
- Click Enable.
DKIM signing is now active for that domain.
Repeat this process for each domain.
Verification
Method 1: Use Microsoft 365 Portal
After enabling, status should show as:
- Enabled
Method 2: Send Test Email
- Send a test email to an external mailbox (e.g., Gmail).
- View full message headers.
- Confirm presence of:
1dkim=passIf DKIM shows as pass, configuration is successful.
DKIM and DMARC Interaction
DKIM plays a critical role in DMARC alignment.
DMARC requires:
- SPF pass OR
- DKIM pass
AND domain alignment.
If DKIM is not enabled:
- DMARC enforcement may fail.
- Spoofing risk increases.
- Deliverability may decrease.
For strong domain protection:
- Enable DKIM
- Configure SPF correctly
- Enforce DMARC with p=quarantine or p=reject
Common Misconfigurations
- DNS records added incorrectly
- DKIM enabled before DNS propagation
- Only enabling DKIM for primary domain but not subdomains
- Leaving DMARC at p=none after DKIM setup
- Not validating via header testing
Always verify configuration after enabling.
Key Points to Remember
- DKIM must be enabled per domain.
- DNS accuracy is critical.
- DKIM improves domain trust and reputation.
- DKIM alone does not stop phishing — combine with DMARC and Anti-Phishing policies.
- Regularly review authentication reports.
Frequently Asked Questions
Is DKIM enabled by default in Office 365?
No. DKIM must be manually enabled for each custom domain.
Do I need Defender for Office 365 to enable DKIM?
No. DKIM signing is available in Exchange Online without additional Defender licensing.
How long does DNS propagation take?
Typically a few minutes to 24 hours depending on your DNS provider.
What happens if DKIM fails?
Messages may fail DMARC checks and be marked as suspicious by recipient servers.
Should I rotate DKIM keys?
Microsoft manages key rotation automatically when using Exchange Online.
Summary
Enabling DKIM for Exchange Online strengthens outbound email authentication, prevents domain spoofing, and improves domain trust.
To ensure proper configuration:
- Generate DKIM keys in Microsoft 365
- Add required DNS CNAME records
- Enable DKIM per domain
- Verify using message headers
DKIM is a foundational component of a secure email authentication strategy and should be implemented alongside SPF and DMARC enforcement.