Set Up DKIM in Office 365: A Step-by-Step Guide

Your domain's reputation is one of your most valuable business assets. Every email you send represents your brand, but without the right protection, anyone can pretend to be you. This is called spoofing, and it can damage your credibility and land your legitimate messages in spam. DKIM is your first line of defense. It adds a secure, digital signature to your emails, proving they’re authentic. In this guide, we’ll show you exactly how to set up DKIM on Office 365 to protect your reputation, build trust with email providers, and ensure your outreach is secure.

Key Takeaways

DKIM acts as a digital signature for your emails: It proves to inbox providers that your message is authentic and hasn't been tampered with, which is essential for protecting your sender reputation and avoiding the spam folder.
The setup is a simple copy-and-paste job: You'll find two CNAME records inside your Microsoft Defender portal and add them to your domain's DNS settings. This creates the link that allows Microsoft to authenticate your emails.
Verification and maintenance are non-negotiable: After setup, confirm DKIM is working by checking your email headers. For complete protection, you must also implement SPF and DMARC to create a secure email authentication framework.

What is DKIM? (And Why Your Emails Need It)

If you’re serious about your email outreach, you need to get familiar with DKIM. Think of it as a digital seal of authenticity for your emails. DKIM, which stands for DomainKeys Identified Mail, is an email authentication method that proves your emails are legitimate and haven't been tampered with on their way to the recipient's inbox. It works by adding a unique digital signature to the header of every email you send. This signature is created with a private key that only you have access to.

When a receiving mail server gets your email, it looks up your public DKIM key, which you publish in your domain's DNS records. It uses this public key to verify the signature. If everything matches up, the server knows the email genuinely came from you and wasn't altered in transit. This process is crucial for building trust with email providers. According to Microsoft, DKIM helps stop bad actors from pretending to be you (a practice known as "spoofing"), which protects your recipients from phishing attacks and other scams.

Ultimately, implementing DKIM is about protecting your brand's reputation and ensuring your messages get delivered. Without it, you're leaving your deliverability up to chance, and your emails are far more likely to be flagged as spam or rejected outright. With a proper DKIM setup, more of your emails will land in the recipient's inbox where they belong. While DKIM is powerful on its own, it works best when paired with other authentication methods like SPF and DMARC to create a comprehensive defense for your email program.

What to Do Before You Set Up DKIM

Jumping into your settings without a plan can get confusing, so let’s get everything in order first. Setting up DKIM is a two-part process: you’ll find specific values inside your Microsoft account, and then you’ll add those values to your domain’s DNS records. Think of it like getting a key from Microsoft and then installing the right lock on your domain—it proves you are who you say you are. This simple step is crucial for building trust with email providers and making sure your outreach campaigns land in the inbox, not the spam folder. For anyone sending high-volume email, getting this right is non-negotiable for protecting your sender reputation.

Before you start, I recommend having two browser tabs open: one for your Microsoft 365 account and another for your domain registrar (like GoDaddy, Namecheap, or wherever you bought your domain name). This will make it much easier to copy and paste the information you need without losing your place. Taking a few minutes to prepare now will make the entire process smoother and help you avoid common frustrations. It’s the pre-flight check that ensures your email deliverability is ready for takeoff.

Check Your Prerequisites

First things first, let's make sure you have what you need. To set up DKIM, you’ll need access to your domain's DNS settings. This is where you manage your domain's records, and it's usually found in the dashboard of your domain provider. You'll be creating a specific type of record called a CNAME record. Additionally, you must have the right permissions in your Microsoft account. You’ll need to be a Global Administrator in Microsoft 365 to access the security settings and configure DKIM. If you aren't the admin, you'll need to ask the person who is to either grant you access or help you with the next steps.

Find Your DKIM Settings in Microsoft Defender

Now, let's go get the information you need from Microsoft. You can find your DKIM settings inside the Microsoft Defender portal. Once you're logged in, head over to Email & collaboration > Policies & rules > Threat policies, and then find Email authentication settings. From there, click on the DKIM tab and select the custom domain you want to set up. You'll see a toggle to "Sign messages for this domain with DKIM signatures." If it's disabled, click it. This will trigger a pop-up window with an error message that contains the exact CNAME values you need. It feels a bit backward, but this is the simplest way to get the correct records to add to your DNS.

How to Create Your DKIM DNS Records

This is where we get hands-on. Setting up DKIM involves adding a couple of special records to your domain's DNS settings. If you’ve never touched your DNS records before, don’t worry. It’s a lot like copying and pasting text into the right boxes. The whole point is to create a public record that proves your emails are legitimate.

We’ll walk through exactly what records you need to create, where to find the right information in your Office 365 account, and how to add them to your domain. Just follow these steps, and you’ll have your DKIM records set up in no time.

A Quick Look at CNAME Records

To get DKIM working, you’ll need to create two CNAME records. Think of a CNAME (Canonical Name) record as a signpost on the internet. It tells servers that one name is actually an alias for another. For this setup, you’re essentially creating records that point from your domain to Microsoft’s servers, allowing them to handle the DKIM authentication for you.

You’ll be working with two pieces of information for each record: a ‘Hostname’ and a ‘Points to address or value’. Your job is to simply copy these values from Microsoft and paste them into your domain’s DNS settings. It’s a straightforward way to link your domain to the DKIM service without a complicated setup.

Find Your DKIM Values in Office 365

First, you need to get the unique values for your CNAME records from Microsoft. You can find them inside the Microsoft Defender portal.

Start by heading to Email & collaboration > Policies & rules > Threat policies > Email authentication settings. From there, click the DKIM tab and select the domain you want to configure. You’ll see a toggle for ‘Sign messages for this domain with DKIM signatures.’ When you try to enable it, a pop-up will appear with the exact CNAME details you need. Microsoft’s official guide on how to use DKIM for email outlines this process perfectly. Copy both ‘Hostname’ and ‘Points to address or value’ entries—you’ll need them for the next step.

Add the CNAME Records to Your DNS

With your CNAME values copied, it’s time to add them to your domain. Log in to your domain registrar’s website—this is wherever you bought your domain, like GoDaddy, Namecheap, or Cloudflare.

Find the section for managing your domain’s DNS records. Here, you’ll create two new CNAME records and paste in the ‘Hostname’ and ‘Points to address or value’ information you just got from the Defender portal. Be careful to copy them exactly as they appear. Once you save your changes, you’ll need to be patient. It can take anywhere from a few minutes to a couple of days for the new DNS records to propagate across the internet and be recognized by Microsoft 365.

How to Enable DKIM Signing in Office 365

You’ve done the hard part of creating and adding the CNAME records to your DNS. Now it’s time for the final step: telling Office 365 to start using them. This is where you officially enable DKIM signing for your domain, putting those new DNS records to work. When you flip this switch, Microsoft will begin adding a cryptographic signature to your outgoing emails, which is exactly what receiving servers look for to verify your identity. This final confirmation step is usually quick, but it’s also where you might run into a snag if something isn’t quite right with your DNS setup. Don’t worry—we’ll walk through how to handle that, too.

Activate DKIM for Your Domain

Head back to the Microsoft Defender portal where you first found your CNAME values. You'll return to the DKIM page under Email & collaboration > Policies & rules > Threat policies > Email authentication settings. Select your custom domain again. You should see the option to "Sign messages for this domain with DKIM signatures." Click the toggle to enable it. If your DNS records have had enough time to propagate across the internet, the setting should activate without any errors. You’ll see the status update to confirm that Office 365 is now signing your emails. For a detailed walkthrough of the interface, you can always reference Microsoft's official steps.

Fix Common Activation Problems

If you get an error when trying to activate DKIM, the most likely culprit is a DNS configuration issue. Go back to your domain registrar and carefully check the CNAME records you created. A single typo or extra space in the hostname or value can prevent Microsoft from finding them. Sometimes, the issue is simply a matter of patience, as DNS changes can take a while to fully update. If you’ve double-checked everything and waited a bit, you can use a tool to verify your DKIM settings independently. This can help you see what the rest of the internet sees and pinpoint any lingering problems with your setup.

How to Check if DKIM Is Working

You’ve done the hard part—you created the records and enabled DKIM in Office 365. Now for the moment of truth: making sure it’s actually working. This final check is one of the most important steps, because an incorrect setup won’t give you the deliverability and security benefits you’re looking for. It's the difference between having a powerful security feature protecting your domain's reputation and just thinking you do. For anyone running high-volume outreach, an improperly configured DKIM can cause authentication failures that damage your sender score and land your campaigns in spam. Thankfully, verifying your work is straightforward and doesn't require any deep technical skills. By sending a simple test email and using a free online tool, you can get the peace of mind that your emails are properly signed and protected from spoofing. This confirmation ensures that mailbox providers like Gmail and Outlook see your messages as legitimate, which is essential for landing in the inbox. Let’s walk through the three simple ways to confirm everything is running smoothly so you can get back to sending emails with confidence.

Send a Test Email

The quickest way to see your DKIM signature in action is to send a test email. Log in to an account on your custom domain—the one you just configured—and send a message to an external email address you have access to, like a personal Gmail or Outlook account. Don’t just read the email; you’ll need to look at its raw data. Once you receive the test, find the option to view the message’s original source or headers. In the data that appears, look for an Authentication-Results header. If you see DKIM=pass, you’re good to go. This confirms that the receiving server successfully validated your signature.

Read Email Headers for the DKIM Signature

While you’re looking at the email headers, you can find the DKIM signature itself. This provides more detail than the simple "pass" message. Scan the text for a line that starts with DKIM-Signature. This header contains several pieces of information, but the most important one for verification is the d= tag, which specifies the domain that signed the message (e.g., d=yourcompany.com). Seeing this signature with your domain confirms that your DKIM key was correctly applied to the outgoing email. It’s the digital proof that the message is authentic and hasn't been tampered with, which is exactly what email authentication is all about.

Use a DNS Checker Tool

If you’re running into issues or just want to be extra thorough, a DNS checker can confirm that your DKIM record is correctly published and visible to the world. Sometimes, an email test might fail because of a propagation delay, not an error in your setup. Using an online DKIM lookup tool helps you isolate the problem. You’ll enter your domain name and the DKIM selector you used when creating the CNAME records. The tool will then check your DNS settings and tell you if the public key is published correctly. If the tool gives you a green light, your DNS is set up properly.

How to Maintain Your DKIM Setup

Getting your DKIM records set up is a fantastic first step, but the work doesn’t stop there. Think of it like planting a garden; you can’t just walk away after putting the seeds in the ground. You have to tend to it. Maintaining your DKIM setup is crucial for keeping your email deliverability high and your domain reputation secure over the long term. This isn’t about constant, tedious work. It’s about building a few straightforward habits that will protect your email outreach and ensure your messages consistently land where they belong.

Perform Regular Checks and Updates

It’s a good idea to check on your DKIM configuration periodically, not just when you think there’s a problem. Regular testing is an essential step for ensuring the highest level of email security and catching issues before they impact your campaigns. Things can change—your domain registrar might update its interface, or a setting within Office 365 could be altered—that might interfere with your setup without you realizing it. A quick check-in every quarter is a smart move. You can use the same DNS checker tools or email header analyzers you used during the initial setup. This simple habit helps you stay ahead of any potential problems and keep your emails flowing smoothly to the inbox.

Manage Key Rotation

Just like you periodically change your passwords for security, you should also update your DKIM keys. This process is called "DKIM key rotation," and it’s a security best practice that prevents bad actors from ever having the chance to compromise an old key. When you rotate keys in Microsoft 365, the system generates new cryptographic keys for your domain. The platform makes this pretty seamless, but keep in mind it takes about four days for the new keys to be fully active across the internet. Making this a part of your annual security audit is a simple yet powerful way to keep your email authentication strong and up to date.

Combine DKIM with SPF and DMARC

For the most robust email protection, you need to use DKIM alongside its two partners: SPF and DMARC. Think of them as a three-part security team working together. SPF (Sender Policy Framework) specifies which mail servers are allowed to send email on behalf of your domain. DKIM provides the digital signature to prove the email hasn't been tampered with. Then, DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do with emails that fail SPF or DKIM checks. Setting up all three gives you the strongest email protection against phishing and spoofing. We know that finding clear, actionable steps for all three can be a challenge, which is why we cover these kinds of deliverability topics in-depth on the ScaledMail blog.

Solve Common DKIM Setup Problems

Even when you follow every step to the letter, you can still run into a few snags when setting up DKIM. It’s frustrating, but don’t worry—it’s usually due to one of a few common issues that are pretty straightforward to fix. Think of this as your troubleshooting checklist for when things don’t go as planned. Before you get too deep into complicated fixes, it’s always a good idea to double-check your CNAME records for any typos or copy-paste errors. A single misplaced character can prevent the entire setup from working correctly.

If you’ve confirmed your records are accurate and you’re still hitting a wall, the problem likely falls into one of three categories: DNS delays, domain management, or conflicting records from a previous setup. We’ll walk through each one so you can identify the culprit and get your DKIM authentication running smoothly. These are the most frequent hurdles we see people face, and thankfully, they all have clear solutions. If you've worked through these common fixes and are still stuck, it might be time to book a call with an expert to look at your specific infrastructure.

Deal with DNS Propagation Delays

So you’ve published your DKIM records, but Office 365 isn’t verifying them. Your first instinct might be to assume you did something wrong, but the most likely culprit is simply time. When you update your DNS, it takes time for those changes to spread across the internet in a process called propagation. Think of it like the postal service updating its address database—it doesn't happen instantly everywhere. According to Microsoft, it can take anywhere from a few minutes to a few days for new DNS records to be recognized by Microsoft 365. The best course of action is to be patient. Grab a coffee, work on something else, and check back later or the next day before you start troubleshooting further.

Manage Multiple Domains and Subdomains

If your business sends emails from multiple domains or uses subdomains for different purposes (like marketing.yourcompany.com for newsletters and support.yourcompany.com for customer service), you need to configure DKIM for each one individually. This is actually a great practice for deliverability, as it protects the reputation of your main domain. If your marketing emails get a high complaint rate, it won't tarnish the reputation of your primary domain, which you use for crucial business communication. Just remember that each domain and subdomain is treated as a separate entity and requires its own unique DKIM key pair and CNAME records. Don't assume that setting it up for yourcompany.com will automatically cover all the others.

Handle Existing DKIM Records

Sometimes, the problem isn’t the new record you’re adding but an old one that’s already there. If you’ve used other email marketing services or providers in the past, you might have old DKIM records lingering in your DNS settings. These can conflict with the new ones you’re trying to set up for Office 365. A common mistake is failing to generate a unique private-public key pair for each service or domain, leading to authentication failures. Before you publish your new CNAME records, take a moment to review your DNS zone for any existing DKIM records. If you find any that are no longer in use, it’s best to remove them to prevent any potential conflicts and ensure a clean setup.

Using DKIM in a Hybrid Exchange Environment

If your company uses a hybrid Exchange environment, you’re running a mix of on-premises servers and cloud-based Exchange Online. This setup is common, but it adds a few extra steps to your DKIM configuration. The goal is to make sure every email, whether it originates from your on-prem server or the cloud, gets the same valid DKIM signature. Without a consistent setup, you risk some of your mail being sent unsigned, which can hurt your deliverability and land your campaigns in the spam folder.

The main challenge is that on-premises Exchange servers don't handle DKIM signing natively like Exchange Online does. You can't just flip a switch on your local server and call it a day. The most straightforward solution is to configure your mail flow so that all outgoing messages from your on-premises servers are routed through Exchange Online. This way, Exchange Online Protection (EOP) applies the DKIM signature you configured in Office 365 to all your mail, creating a single, unified point for authentication. This approach simplifies management and ensures no email gets left behind. For a deeper look at how these systems work together, Microsoft offers detailed guidance on hybrid deployments.

What to Know for On-Premises Servers

Since your on-premises Exchange server can’t sign emails with DKIM on its own, you have to give it a path to do so. Routing your mail through Exchange Online is the standard and often simplest method. You create connectors that securely send your on-prem mail to the cloud, where it gets the DKIM signature before heading to its final destination. This keeps your entire email security framework, including SPF and DMARC, managed within your Microsoft 365 environment.

If routing all mail through the cloud isn't an option for your organization, you can use a third-party gateway or transport agent. These tools are installed on or in front of your on-premises server and are designed specifically to add DKIM signatures to outgoing mail. This path requires managing another piece of software but gives you direct control over signing at the source. Whichever method you choose, you’ll still need to set up DKIM correctly in your DNS records.

Helpful Tools for Managing DKIM

Setting up and managing DKIM doesn’t have to be a solo mission into the technical weeds. Plenty of excellent tools are available to make the process smoother, whether you’re creating your first record or just checking on an existing one. Think of these as your support system for better email security and deliverability.

If you’re starting from scratch, a DKIM Record Generator is a lifesaver. Instead of trying to piece together the record syntax yourself, these tools create the public and private keys for you. You can typically choose different key lengths, like 1024 or 2048-bit, to match your security needs. This takes the guesswork out of creating the CNAME records you need to add to your DNS provider.

Once you’ve published your records, how do you know they’re working correctly? That’s where a DKIM Record Lookup tool comes in. You simply enter your domain and selector, and the tool checks your DNS to see if the record is published and valid. It’s a quick and easy way to confirm your setup before you start sending important campaigns.

For those who appreciate a good plan, following a DKIM setup checklist can help ensure you don’t miss a crucial step. These guides walk you through the entire process, from generation to testing, making the whole thing feel much more manageable. This attention to detail is key, as a proper DKIM configuration protects your domain from phishing and strengthens your sender reputation.

How DKIM Affects Your Deliverability and Reputation

Think of DKIM as a digital seal of approval for your emails. Without it, your carefully crafted messages have a much higher chance of landing in the spam folder. Internet Service Providers (ISPs) are constantly on the lookout for suspicious activity, and a missing or incorrect DKIM signature is a major red flag. Implementing DKIM correctly is one of the most effective ways to resolve common deliverability issues and ensure your campaigns actually reach your audience. It proves to receiving mail servers that your email is authentic and that its contents haven't been altered in transit.

Beyond just getting your emails delivered, DKIM is essential for protecting your brand. It helps prevent scammers and phishers from sending malicious emails that look like they came from your domain—a practice known as spoofing. This not only protects your reputation but also keeps your audience safe from harmful scams. When your domain is secure, you build trust with both email providers and the people who read your emails, leading to better engagement and a stronger brand image.

DKIM doesn't work in a vacuum; it's most powerful when paired with other email authentication methods like SPF and DMARC. Together, these protocols create a robust defense system for your email program. This layered approach is the industry standard for email security and is a key requirement from major inbox providers like Google and Yahoo. For any business that relies on email outreach, having a solid authentication strategy isn't just a good idea—it's a fundamental part of maintaining a healthy sender reputation.

Frequently Asked Questions

Why do I need to create two CNAME records for Office 365? Office 365 uses a pair of CNAME records to manage its DKIM key rotation system. This is a security feature that allows Microsoft to automatically update your cryptographic keys behind the scenes without you having to do anything. By having two records, it can activate a new key while the old one is still valid, ensuring there’s no interruption in your email authentication. It’s a seamless way to keep your setup secure over time.

I set up DKIM, but some of my emails are still going to spam. What gives? Setting up DKIM is a huge step forward, but it's one part of a larger deliverability strategy. Think of it as getting a passport; it proves who you are, but you still need to follow the rules of the country you're visiting. If your emails are still landing in spam, you should also implement SPF and DMARC. Beyond that, look at your sender reputation and the quality of your email content. DKIM ensures your mail is authenticated, but inbox providers also care about whether people actually want to receive it.

What exactly is a DKIM "selector"? A selector is simply a name that helps receiving mail servers find the correct public DKIM key in your domain's DNS records. Since you might have different DKIM keys for different email services (like one for Office 365 and another for a marketing platform), the selector tells the server which specific key to use for verification. It’s part of the CNAME record you get from Microsoft, usually in the format selector1._domainkey or selector2._domainkey.

How often should I really be rotating my DKIM keys? Rotating your DKIM keys is a security best practice, much like changing your passwords. For Office 365, the system handles this for you automatically once you've set up the two CNAME records, which is a major benefit. If you're managing DKIM manually for other services, a good rule of thumb is to rotate your keys at least once a year. This limits the chance of an old key ever being compromised and used against you.

Can I set up DKIM for Office 365 if I also use another service to send emails? Yes, and you absolutely should. You need to set up DKIM for every single service that sends email on behalf of your domain. Your marketing platform, CRM, and any other tool will each provide their own unique DKIM records to add to your DNS. These won't conflict with your Office 365 records because each service will use a different selector. This ensures all your mail, regardless of where it comes from, is properly authenticated.