To configure DKIM in Office 365 / M365: open the Microsoft Defender portal (security.microsoft.com) → Email & collaboration → Policies → Email Authentication → DKIM. Select your custom domain, publish the two CNAME records Microsoft provides at selector1._domainkey and selector2._domainkey, then toggle Enable. Verify with mail-tester.com. Default selectors are selector1 and selector2 (two keys for rotation).
Office 365 DKIM Setup: The Complete Guide
What Office 365 DKIM Setup Looks Like in 2026
Microsoft 365 (formerly Office 365, sometimes M365) handles DKIM differently from most ESPs. Instead of asking you to publish a TXT record with the public key, Microsoft asks you to publish two CNAME records that point to Microsoft's hosted DKIM keys. Microsoft rotates the keys for you.
This is convenient (automatic rotation) but means you can't bring your own DKIM keys for Microsoft-sent mail.
Step-by-Step Configure DKIM Office 365
1. Verify your custom domain in Microsoft 365
Microsoft 365 Admin Center → Settings → Domains. Your sending domain (e.g., yourdomain.com) must be added and verified.
2. Open the Defender Portal
Navigate to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM.
3. Select your domain
The DKIM page lists your custom domains. Click the one you want to enable.
4. Get the CNAME records
Microsoft displays two CNAME records:
selector1._domainkey.yourdomain.com CNAME selector1-yourdomain-com._domainkey.tenant.onmicrosoft.com
selector2._domainkey.yourdomain.com CNAME selector2-yourdomain-com._domainkey.tenant.onmicrosoft.com
The tenant portion will be your Microsoft 365 tenant name (typically <yourcompany>.onmicrosoft.com).
5. Publish CNAMEs in DNS
Go to your DNS provider (Cloudflare, GoDaddy, Route 53, etc.) and add both CNAME records exactly as Microsoft specified.
6. Wait for DNS propagation
Usually under an hour, sometimes up to 24 hours.
7. Enable DKIM
Return to the Defender Portal DKIM page. Toggle "Sign messages for this domain with DKIM signatures" → Enable. If DNS hasn't propagated, you'll get a verification error — wait and retry.
8. Verify
Send a test message to [email protected]. The result should show DKIM pass with selector1 or selector2.
Alternative: PowerShell Method
For admins comfortable with Exchange Online PowerShell:
Connect-ExchangeOnline
New-DkimSigningConfig -DomainName yourdomain.com -Enabled $true
This creates the config; you still need to publish the CNAME records and enable after DNS propagation.
Setting Up SPF Office 365 Alongside DKIM
You also need SPF for Office 365 / Outlook SPF. The standard record:
v=spf1 include:spf.protection.outlook.com -all
If you send from other services (SendGrid, Mailgun, marketing platforms), include those too:
v=spf1 include:spf.protection.outlook.com include:_spf.google.com include:sendgrid.net -all
See SPF for Microsoft 365 setup for full details.
Common M365 DKIM Setup Issues
"No DKIM keys saved for this domain"
You haven't published the CNAMEs yet, or DNS hasn't propagated. Verify with dig CNAME selector1._domainkey.yourdomain.com (Linux/Mac) or nslookup -type=cname selector1._domainkey.yourdomain.com (Windows).
"CNAME does not match"
The CNAME target string from Microsoft must be copied exactly. Some DNS interfaces add a trailing period or .tld.tld. suffix — strip those if so.
Signing enabled but messages still show "dkim=none"
Check that the From: domain in your test message matches the domain you enabled DKIM for. Office 365 won't sign for domains it doesn't host.
Old DKIM keys missing after migration
If you migrated from another ESP, the old DKIM CNAMEs may still be present. Microsoft uses its own selectors (selector1, selector2), so old selectors don't conflict — but you should clean them up.
Where to Verify DKIM in M365
After setup, you can monitor DKIM status:
- Defender Portal: shows current key state and rotation history
- Test email to mail-tester.com: real-world verification
- MXToolbox DKIM Lookup:
mxtoolbox.com/SuperTool.aspx→ DKIM Lookup →selector1._domainkey:yourdomain.com - DMARC reports: aggregate reports show DKIM result per source
Microsoft 365 DKIM vs Bring-Your-Own DKIM
Microsoft uses its own keys by default and rotates them automatically. This is simpler but means:
- You can't share DKIM keys across ESPs
- You're trusting Microsoft to manage rotation
- Selectors are fixed (selector1, selector2)
If you need custom DKIM keys (e.g., for compliance or unified key management), Microsoft doesn't support it natively. You'd need a third-party signing service in front of Office 365 — rare in practice.
Practitioner note: The "where can I see the DKIM in M365" question comes up constantly because Microsoft's portal has been reorganized three times in the past two years. As of 2026, it lives under security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM. The path may change again.
Practitioner note: A common Office 365 DKIM mistake: enabling DKIM in the Defender portal before the CNAMEs propagate. You'll get a verification error and Microsoft will tell you the keys aren't saved. Wait 1-4 hours after publishing DNS records before toggling Enable. If you're impatient, manually flush DNS cache with
ipconfig /flushdns.
Practitioner note: For organizations sending from Office 365 plus marketing platforms (Klaviyo, Mailchimp, HubSpot), Office 365 handles its own DKIM but the marketing platforms each need their own DKIM setup with their own selectors. Don't expect Office 365 DKIM to cover non-Office-365 sends.
If you're configuring DKIM for Office 365 alongside other sending sources and need help with the full authentication stack, book a consultation. I configure SPF, DKIM, and DMARC across multi-ESP environments regularly.
Sources
- Microsoft: Configure DKIM in Microsoft 365
- Microsoft: DKIM authentication overview
- PowerDMARC: Microsoft Office 365 DKIM setup
- MXToolbox: Outbound email sources Office 365
v1.0 · May 2026
Frequently Asked Questions
Where can I see the DKIM in M365?
In Microsoft 365: open security.microsoft.com (Defender portal) → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM. Your custom domains are listed with current DKIM status. Click a domain to see the CNAME records to publish and the current key state.
How to configure DKIM in Office 365?
Steps: 1) Add your custom domain to Microsoft 365 (Admin Center → Settings → Domains). 2) Go to Defender Portal → Email Authentication → DKIM. 3) Select the domain. 4) Microsoft generates CNAME records — publish selector1._domainkey and selector2._domainkey CNAMEs in your DNS. 5) Wait for DNS propagation. 6) Toggle Enable in the Defender Portal.
What's the difference between DKIM for Office 365 and Outlook DKIM?
Same thing in most contexts. 'Office 365 DKIM' and 'Outlook DKIM' both refer to Microsoft's cloud email service (now branded Microsoft 365 / M365). For a personal Outlook.com account, DKIM is automatic — you don't configure it. For business custom domains via Office 365/M365, you configure DKIM per the steps above.
Do I need DKIM for Office 365 even if I have SPF?
Yes. SPF and DKIM serve different purposes — SPF lists authorized servers; DKIM cryptographically signs messages. SPF Office 365 alone leaves you vulnerable to spoofing on the visible From: address. DMARC requires SPF or DKIM alignment, and DKIM alignment usually works better than SPF (especially for forwarded mail). Set up both.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.