It is to note that if you use only the Microsoft Online Email Routing Address (MOERA) domain for outgoing emails (for example, yourdomain.onmicrosoft.com), you don’t need to do anything to setup DKIM in Office 365.
Microsoft automatically creates a public-private key pair from your initial *.onmicrosoft.com domain and signs outbound messages with DKIM using the private key.
However, it’s highly advised to configure a custom domain or subdomain for DKIM in order outbound emails are DKIM signed by the domain used in the “From” address. It is important for ensuring the messages pass DMARC authentication. The message passes DMARC based on DKIM only if the domain that signed the message by DKIM and the domain in the “From” address align.
Requirements for Setting up DKIM in Office 365
In order you can setup DKIM in Office 365 to sign emails by your custom domain, you need to ensure that the following conditions are met:
- Administrator access: to enable DKIM in Office 365, you need to have administrative permissions in your Office 365 account.
- Domain authentication: ensure that you added and authenticated your domain in Office 365. This involves associating the domain with your Office 365 account and enabling it for sending and receiving emails.
- Domain properties: the custom domain or subdomain must appear on the DKIM tab of Email authentication settings and must have the following properties:
The “Sign messages for this domain with DKIM signatures” is set to Disabled.
The Status shows “Not signing DKIM signatures for the domain.”
The “Rotate DKIM keys” button is grayed out.
- DNS access: you need to change the domain’s DNS records in order to turn on DKIM in Office 365.
How to Setup DKIM in Office 365
To configure DKIM for Office 365 in order to sign outbound emails by your custom domain and pass DKIM alignment, follow this detailed guide:
Step 1: Create DKIM Keys.
Start by logging to the Defender portal and navigate to Email & collaboration > Policies & rules > Threat policies > Email authentication settings. Or, go directly to the Email authentication settings page.
In the Email authentication settings, click on the DKIM tab and then click on a custom domain to configure DKIM.
Select the “Sign messages for this domain with DKIM signatures” toggle that’s set to Disabled.
A dialog with the values for the two CNAME records opens. An example of what they usually look like is below:
Record 1 for DKIM Selector 1:
Host name: selector1._domainkey.yourdomain.com
Value: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Record 2 for DKIM Selector 2:
Host name: selector2._domainkey.yourdomain.com
Value: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Step 2: Publish CNAME Records in DNS.
In a new tab in the browser, login to your DNS management console, select the domain for which you want to set up DKIM and add two CNAME records with the generated host names and values. It can take 24-48 hours for DNS changes to propagate fully.
Step 3: Turn on DKIM Signing in Office 365.
After you ensure that the newly added DNS records have propagated, go to the DKIM settings, open the custom domain properties, and select the “Sign messages for this domain with DKIM signatures” toggle.
Click OK to close the dialog that opens when you try to enable DKIM signing for the custom domain.
Verify the following properties for the domain:
The Sign messages for this domain with DKIM signatures toggle is set to Enabled.
The Status value is “Signing DKIM signatures for this domain.”
The “Rotate DKIM keys” button is active.
Click “Close” to close the domain properties.