In Microsoft 365 Defender, go to Email & collaboration > Policies > Threat policies > Email authentication settings > DKIM. Select your domain and click Enable. Microsoft requires two CNAME records: selector1._domainkey and selector2._domainkey pointing to selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com. Add both CNAMEs to DNS, then enable signing.
DKIM for Microsoft 365: Complete Setup Guide
Why Custom DKIM Matters in M365
Microsoft 365 does sign outbound email with DKIM by default — but it signs using your .onmicrosoft.com domain. That means DKIM passes, but it won't align with your custom domain for DMARC purposes.
If you want DMARC to pass on DKIM alignment (and you do), you need to set up custom DKIM signing.
Create the CNAME Records
Microsoft requires two CNAME records. The format is:
Record 1:
- Host:
selector1._domainkey - Type: CNAME
- Value:
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Record 2:
- Host:
selector2._domainkey - Type: CNAME
- Value:
selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
Replace yourdomain-com with your domain (dots replaced by hyphens) and yourtenant with your Microsoft 365 tenant name.
Practitioner note: The most common mistake I see with M365 DKIM is getting the CNAME value wrong. People use dots instead of hyphens in the domain portion.
selector1-example-com._domainkeyis correct.selector1-example.com._domainkeyis wrong and will silently fail.
Enable DKIM Signing
- Go to Microsoft 365 Defender
- Navigate to Email & collaboration > Policies & rules > Threat policies
- Click Email authentication settings
- Select the DKIM tab
- Select your domain
- Toggle Sign messages for this domain with DKIM signatures to Enabled
If the CNAME records haven't propagated yet, you'll get an error. Wait and try again.
Verify It's Working
Send a test email to a Gmail address and check the original message headers:
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=selector1
The header.s=selector1 confirms Microsoft is signing with your custom DKIM key.
Practitioner note: Microsoft rotates DKIM keys automatically between selector1 and selector2 — that's the whole point of having two CNAME records. Don't be alarmed if you see selector2 being used instead of selector1 at some point.
Troubleshooting
"CNAME record does not exist": Double-check the full CNAME value. It should end with .onmicrosoft.com, and your domain should use hyphens, not dots.
DKIM passes but DMARC fails: You're probably still signing with the default .onmicrosoft.com key. Verify custom signing is enabled in Defender.
Multiple domains: Each custom domain in M365 needs its own pair of CNAME records. Secondary and alias domains don't inherit DKIM configuration.
For the full M365 authentication setup including SPF and DMARC, see the Microsoft 365 email auth guide. For complex M365 environments with multiple domains, shared mailboxes, and third-party integrations, schedule a consultation — I'll make sure every sending path is authenticated correctly.
Sources
- Microsoft: Use DKIM for email in your custom domain
- Microsoft: DKIM FAQ
- RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
- MXToolbox: DKIM Record Lookup
v1.0 · April 2026
Frequently Asked Questions
How do I enable DKIM in Microsoft 365?
Add two CNAME records (selector1._domainkey and selector2._domainkey) to your DNS, then enable DKIM signing in Microsoft 365 Defender under Email authentication settings > DKIM.
What DKIM selectors does Microsoft 365 use?
Microsoft 365 uses selector1 and selector2. Two selectors allow automatic key rotation — Microsoft rotates keys periodically without requiring you to update DNS records.
Why does Microsoft 365 use CNAME records for DKIM instead of TXT?
CNAME records delegate the DKIM key to Microsoft's infrastructure, allowing them to rotate keys automatically. You never have to update the DNS record — Microsoft handles rotation on their end.
How long does Microsoft 365 DKIM take to work?
After adding the CNAME records and enabling DKIM in Defender, signing typically starts within minutes. DNS propagation for the CNAME records can take up to 48 hours.
Does Microsoft 365 sign email with DKIM by default?
Microsoft signs with a default key under the onmicrosoft.com domain. But for DMARC alignment, you need custom DKIM signing with your own domain — this requires manual setup.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.