Email provider

DKIM setup for Microsoft 365

DKIM proves message integrity. Microsoft 365 gives you a selector and key or CNAME targets — publish them exactly.

Common mistake: Expecting DKIM to work before the CNAMEs resolve — enable and wait for DNS.

Step by step

Step 1 Microsoft 365 Defender portal → Email & collaboration → Policies & rules → DKIM — or Exchange admin center DKIM for the domain.

Step 2 Copy the exact hostnames and values Microsoft 365 shows — do not invent selectors. Typical pattern:

CNAME records selector1._domainkey → selector1-domain-com._domainkey.*.onmicrosoft.com (Microsoft shows exact FQDNs when you enable DKIM).

Step 3 Add TXT or CNAME at the DNS provider that hosts your domain. Truncated keys fail verification.

Step 4 Query the record from an authoritative resolver or use propagation checker.

Step 5 Google Workspace / some hosts require clicking “enable” after DNS is green.

Step 6 Send a test message; check DKIM-Signature and d=. Run DNS Preflight. Align with DMARC: /fix/dmarc/.

DNS Preflight — verify SPF, DKIM, DMARC in one pass.

Open DNS Preflight →

DMARC alignment — fixes when reports show failures.

DMARC fix guides →

FAQ

Where do I find Microsoft 365 DKIM records?

In the provider’s domain authentication / sender settings — copy live values.

CNAME vs TXT?

Use what the provider specifies — both are common.

Why dkim=fail?

Wrong selector, truncated key, or signing not enabled after publish.

Does this fix DMARC?

You need SPF + DKIM alignment for your From domain — DKIM is often the easier path for ESPs.

How to verify?

DNS Preflight for the published key; send test mail for header verification.

← Microsoft 365 hub · All email providers