← Back to Learn Hub

How to Set Up DKIM for Office 365 (Microsoft 365)

Setting up DKIM for Office 365 takes three steps: create your DKIM keys in Microsoft 365, add two records to your DNS, then switch signing on. This guide works whoever hosts your domain's DNS.

DKIM adds a signature to every email you send, so receiving servers can confirm the message genuinely came from your domain and wasn't altered. For a custom domain, Microsoft 365 doesn't sign your mail until you set this up.

How DKIM works in Microsoft 365

Microsoft 365 signs mail for its default onmicrosoft.com domain automatically, but for your own custom domain you have to set DKIM up. You create the keys in the Microsoft 365 Defender portal, publish two CNAME records in your DNS, and then switch signing on.

If your DNS is hosted at GoDaddy, the steps are the same. See our GoDaddy DKIM guide for that DNS panel specifically.

Step 1: Create your DKIM keys

The keys are generated in Microsoft 365, not at your DNS host.

  • Go to security.microsoft.com/dkimv2 and sign in with your Microsoft 365 admin account.
  • Under DomainKeys Identified Mail (DKIM), select your domain name itself (not the checkbox next to it). A panel opens on the right.
  • Select Create DKIM keys. Microsoft generates two records, both CNAMEs, pointing to a …onmicrosoft.com address.
  • Copy both records. You'll add them to your DNS next.

Step 2: Add the CNAME records in your DNS

Publish both CNAME records wherever your domain's DNS is managed (your registrar or DNS host).

  • Add two CNAME records with hosts selector1._domainkey and selector2._domainkey.
  • Set each value to the matching …onmicrosoft.com target Microsoft gave you.
  • Enter the host without your domain on the end. Most DNS hosts add it for you.
  • Save both, then allow time to propagate. This can take up to 48 hours, though often within an hour.

Step 3: Turn on DKIM signing

Adding the records isn't enough. You have to switch signing on. Go back to security.microsoft.com/dkimv2, select your domain, and set the signing toggle to Enabled.

If the toggle is greyed out or errors, the CNAME records usually haven't propagated yet. Wait, then try again.

How to check it worked

Once signing is on and the records have propagated, confirm it with our free DKIM checker. You can also send a test email to a Gmail address, open it, and use Show original to check that DKIM shows PASS.

Common problems

Most Office 365 DKIM issues come from a few causes.

  • The signing toggle won't enable: the CNAME records haven't propagated, or a host or value was mistyped.
  • Only the onmicrosoft.com domain shows DKIM: your custom domain isn't fully set up in Microsoft 365 yet.
  • The checker finds no key: confirm both CNAMEs are saved with the exact values from Microsoft and that signing is on.

Check your domain now

Enter your domain to see your current email security status.

Frequently Asked Questions

Does Microsoft 365 enable DKIM by default?

Only for its built-in onmicrosoft.com domain. For your own custom domain, DKIM is off until you create the keys in the Defender portal, publish the two CNAME records in your DNS, and switch signing on. Until then, mail from your custom domain isn't DKIM-signed.

Why is the DKIM toggle greyed out in Microsoft 365?

Almost always because the two CNAME records haven't propagated yet, so Microsoft can't verify them. Double-check the host and value of each record in your DNS, then wait and try again. Propagation can take up to 48 hours, though it's usually much faster.

Where do I add the DKIM records for Office 365?

In your DNS, wherever your domain is managed (your registrar or DNS host), not inside Microsoft 365. You add two CNAME records (selector1._domainkey and selector2._domainkey) using the values the Defender portal gives you. If that's GoDaddy, see our GoDaddy DKIM guide.

Do I need DKIM if I already have SPF?

Yes. SPF and DKIM check different things: SPF authorises sending servers, while DKIM proves the message wasn't altered and genuinely came from your domain. DMARC needs at least one of them passing and aligned, and both together give the strongest result.

That's DKIM set up for Office 365: keys created in the Defender portal, two CNAME records added to your DNS, and signing switched on. Confirm it with our DKIM checker once the records propagate.

DKIM is one of three records that have to line up. Once it's done, set up DMARC for Office 365 too, or let readyDMARC handle all three for you.

Related Articles

How to Set Up DMARC for Office 365 (Microsoft 365)

Set up DMARC for Office 365: why there's no DMARC toggle in Microsoft 365, how to publish the DNS re...

Read more →

What Is DKIM? How Email Signing Works

Learn what DKIM is, how DomainKeys Identified Mail protects your business emails from tampering, and...

Read more →

How to Set Up DKIM on GoDaddy (Microsoft 365 Email)

Set up DKIM on GoDaddy for Microsoft 365 email: create your DKIM keys, add the CNAME records in GoDa...

Read more →

Misconfiguring this is easy, and costly

One wrong record can let attackers send email as your domain, or block your own legitimate mail once you turn on enforcement. Getting from a published record to real protection, without breaking delivery, is where most teams get stuck. Our specialists set up SPF, DKIM, and DMARC for you and roll it out safely, checking at every stage.

Book a call with our team