How to enable DKIM in your Microsoft 365 tenant

This blog post will show you how to enable DKIM in your Microsoft 365 tenant.

TAKE NOTE: From the 1st of December, DKIM configuration will be removed from the Exchange Online Admin Portal and will be available in the Security & Compliance Center.

What is DKIM?

DomainKeys Identified Mail, or DKIM, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing.  It is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient.”

how-to-enable-dkim-in-your-microsoft-365-tenant

How to enable/configure DKIM in Microsoft 365?

Security & Compliance Center

Go to https://protection.office.com/dkimv2 and sign in with your Global Administrator.

how-to-enable-dkim-in-your-microsoft-365-tenant

Next, by enabling DKIM you will receive an error when there are no CNAME records created in your DNS zone. You can close this message by clicking OK.

how-to-enable-dkim-in-your-microsoft-365-tenant

You’re probably asking, which CNAME records do we need to create? Now, this is where the PowerShell magic comes in.

Windows PowerShell

First, let’s open an elevated PowerShell prompt and connect to Exchange Online. Install the Exchange Online module if needed.

Install-Module ExchangeOnlineManagement

Next up, is to connect to Exchange Online by running the following command. Be sure you’ve got your Global Admin credentials by your side, you’re going to need them. By the way? Did you already enable MFA for your Global Admins? Not yet? Check out my post about enabling MFA for all Global Admins with Conditional Access

$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential -ShowProgress $true
how-to-enable-dkim-in-your-microsoft-365-tenant

Now that we’re connected to Exchange Online, we can get started. We need to check if DKIM is enabled for our domains. I know, I’ve shown you this already through the GUI of the Security & Compliance portal, but this one is for our PowerShell aficionados.

Get-DkimSigningConfig $domain

The above command will give you an overview of all domains in your tenant and if DKIM is enabled.
(For a very strange reason it still show some old domain names I’ve once had in my tenant, but to be clear it is for the last domain name we will enable DKIM)

how-to-enable-dkim-in-your-microsoft-365-tenant

Now, let’s run the following PowerShell command to retrieve the CNAM (selector key)Next step is to retrieve the CNAME (selector) records for our domain name, by running the following PowerShell commands.

$dkim = Get-DkimSigningConfig $domain
$dkim.Selector1Cname
$dkim.Selector2Cname

The result will give you 2 CNAME records that need to be added to the DNS zone of your domain. An example of such a record will be:

selector1-domain-com._domainkey.tenantname.onmicrosoft.com
selector2-domain-com._domainkey.tenantname.onmicrosoft.com

What information do you need to add those CNAME records to your domain name’s DNS zone?

Hostname: selector1._domainkey.domain.com (where domain.com is your own domain name)
Value: selector1-domain-com._domainkey.tenantname.onmicrosoft.com
TTL: 3600

Hostname: selector2._domainkey.domain.com (where domain.com is your own domain name)
Value:selector2-domain-com._domainkey.tenantname.onmicrosoft.com
TTL: 3600

Result:

Adding those CNAME records to your domain name’s DNS zone, you will get the following result when you enable DKIM for your domain from the Security & Compliance Center.

how-to-enable-dkim-in-your-microsoft-365-tenant

After synchronization is done, DKIM will be enabled on your domain.

how-to-enable-dkim-in-your-microsoft-365-tenant

More information about DKIM in the Microsoft Docs link here.

Nicky De Westelinck

Nicky De Westelinck is a Modern Workplace Expert for Arxus with several years of experience in Microsoft 365. His main focus is Microsoft Intune and Microsoft 365 Administration. He is also a Microsoft Certified Trainer since 2021.

View all posts by Nicky De Westelinck →

Leave a Reply

Your email address will not be published. Required fields are marked *