This blog post will show you how to enable DKIM in your Microsoft 365 tenant.
TAKE NOTE: From the 1st of December, DKIM configuration will be removed from the Exchange Online Admin Portal and will be available in the Security & Compliance Center.
What is DKIM?
“DomainKeys Identified Mail, or DKIM, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. It is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient.”
How to enable/configure DKIM in Microsoft 365?
Security & Compliance Center
Go to https://protection.office.com/dkimv2 and sign in with your Global Administrator.
Next, by enabling DKIM you will receive an error when there are no CNAME records created in your DNS zone. You can close this message by clicking OK.
You’re probably asking, which CNAME records do we need to create? Now, this is where the PowerShell magic comes in.
First, let’s open an elevated PowerShell prompt and connect to Exchange Online. Install the Exchange Online module if needed.
Next up, is to connect to Exchange Online by running the following command. Be sure you’ve got your Global Admin credentials by your side, you’re going to need them. By the way? Did you already enable MFA for your Global Admins? Not yet? Check out my post about enabling MFA for all Global Admins with Conditional Access
$UserCredential = Get-Credential Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true
Now that we’re connected to Exchange Online, we can get started. We need to check if DKIM is enabled for our domains. I know, I’ve shown you this already through the GUI of the Security & Compliance portal, but this one is for our PowerShell aficionados.
The above command will give you an overview of all domains in your tenant and if DKIM is enabled.
(For a very strange reason it still show some old domain names I’ve once had in my tenant, but to be clear it is for the last domain name we will enable DKIM)
Now, let’s run the following PowerShell command to retrieve the CNAM (selector key)Next step is to retrieve the CNAME (selector) records for our domain name, by running the following PowerShell commands.
$dkim = Get-DkimSigningConfig $domain $dkim.Selector1Cname $dkim.Selector2Cname
The result will give you 2 CNAME records that need to be added to the DNS zone of your domain. An example of such a record will be:
What information do you need to add those CNAME records to your domain name’s DNS zone?
Hostname: selector1._domainkey.domain.com (where domain.com is your own domain name)
Hostname: selector2._domainkey.domain.com (where domain.com is your own domain name)
Adding those CNAME records to your domain name’s DNS zone, you will get the following result when you enable DKIM for your domain from the Security & Compliance Center.
After synchronization is done, DKIM will be enabled on your domain.
More information about DKIM in the Microsoft Docs link here.