DKIM fix
How to Enable DKIM for Microsoft 365
This page shows how to turn on M365 DKIM: add selector1 and selector2 CNAMEs so DMARC alignment can pass on your domain.
Why M365 DKIM errors until both CNAMEs exist
Microsoft rotates selector1 and selector2. Half the pair — or skipping Enable — leaves you signing like it’s still 2010.
What Defender shows (your tenant, not ours)
selector1._domainkey.yourdomain.com → CNAME →
selector1-yourdomain-com._domainkey.[tenant].onmicrosoft.com
selector2._domainkey.yourdomain.com → CNAME →
selector2-yourdomain-com._domainkey.[tenant].onmicrosoft.com
Copy targets from Defender exactly — don’t hand-roll. Basics: DKIM.
Create keys, publish, then enable
Step 1 Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies → DKIM (path may vary slightly) → select your domain
Step 2 Create DKIM keys
Step 3 Copy both CNAME values
Step 4 Add to DNS at your provider
Step 5 Return to Defender and enable DKIM signing
Step 6 Verify in DNS Preflight
Run DNS Preflight to check selector1/selector2 CNAMEs resolve
Open DNS Preflight →FAQ
What are the M365 DKIM selectors?
selector1 and selector2 — Microsoft alternates between them.
Why does Defender still show an error after CNAMEs?
You didn’t click Enable — DNS alone doesn’t turn signing on.
Where is my tenant name?
Inside the CNAME targets Defender prints. Copy/paste, don’t type.
Does M365 rotate DKIM keys?
Yes — never delete one selector’s CNAME “to clean up.”
How long until active?
DNS can lag 48h. Defender flips green when both sides agree.