DKIM: how to configure in Office 365

Last week, I had to set up a Microsoft 365 account, including e-mail with a custom domain. During the setup phase of the Microsoft Exchange Online, the wizard guides you on setting up the necessary DNS records to get your e-mail up and running, but DKIM was missing.

What is DKIM?

In this day and age, spam and phishing campaigns are a widespread issue and one of the oldest cybercrimes around. Forging e-mails and presenting yourself as someone else is easier than ever before. Making it less obvious to know if an e-mail is legitimate or not.

DomainKeys Identified Mail, or DKIM in short, is a security standard to make sure e-mails aren’t altered in transit. This is done through cryptographic authentication which, in turn, proves the legitimacy of the email to the receiver.

Missing DKIM configuration

During the setup, the wizard only mentions setting the proper MX and SPF DNS records. But there is no mention regarding DKIM or how to configure it.

I found this a bit odd since a lot of other providers include the setup in their default setup wizards, including ProtonMail.

Microsoft PowerShell

Enabling DKIM is not hard, but it isn’t as straightforward as copy-pasting the values into your DNS setup. You actually need to set it up through PowerShell.

I’ll write another post on the issues I encountered, but for now, I’m giving the commands needed to create a new DKIM signing config.

Fire up PowerShell and import the ExchangeOnlineManagement module. Now that the module is imported, connect and authenticate against your ExchangeOnline instance. A browser popup will appear where you can enter your password and 2FA code if you have configured it.

PS /Users/michael> Import-Module ExchangeOnlineManagement
PS /Users/michael> Connect-ExchangeOnline -UserPrincipalName

Use the New-DkimSigningConfig cmdlet to create the DKIM signing policy settings for your domain.

PS /Users/michael> New-DkimSigningConfig -DomainName -Enabled $false

As you notice, I haven’t enabled the DKIM signing yet. First, go to your DNS control panel and add the 2 CNAME records:

Host name:            selector1._domainkey
Points to address or value:    selector1-<domainGUID>._domainkey.<initialDomain>
TTL:                3600

Host name:            selector2._domainkey
Points to address or value:    selector2-<domainGUID>._domainkey.<initialDomain>
TTL:                3600
  • For Microsoft 365, the selectors will always be “selector1” or “selector2”.
  • domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before
  • initialDomain is the domain that you used when you signed up for Microsoft 365. Initial domains always end in 

Enable Signing

The only thing left to do is enable your DKIM signatures. One way to do this is by going to the Office 365 Security & Compliance Center.

Navigate to “Threat Management” -> “Policy”. Under the “Thread Policies”, find the “Rules” section and go to DKIM. Next, select your custom domain and a modal window will appear. Toggle the “Sign messages for this domain with DKIM signatures” option and you are all good to go.