Defaults.Exposed › Setup › DKIM

How to set up DKIM on Microsoft 365

Publish two DKIM records in your DNS and switch DKIM on in Microsoft 365 so your emails carry a tamper-proof signature.

Why this matters to your business

DKIM (DomainKeys Identified Mail) adds an invisible digital signature to every email you send. The receiving mail provider uses a public key you’ve published in your DNS to confirm two things: the message really came from your domain, and nobody altered it on the way.

In plain terms: DKIM is a seal of authenticity on your email. It makes impersonation harder and improves the chance your genuine mail reaches the inbox rather than spam. It’s free and it’s a one-time setup.

Important: DKIM on Microsoft 365 is done in two places

DKIM is the one record where it really matters who does what. Microsoft 365 also does it slightly differently from most providers — worth knowing so you don’t get stuck:

• Microsoft uses two CNAME records, not a long TXT key. Most providers hand you one giant TXT public key. Microsoft instead has you publish two short CNAME records (called selector1 and selector2) that point back to Microsoft. Microsoft holds the actual keys and can rotate them safely behind those pointers.
• Your DNS host publishes the two CNAMEs. You add them wherever your domain’s nameservers point — your registrar, web host, Cloudflare, etc. That’s usually not Microsoft (unless you let Microsoft manage your DNS).
• You then switch DKIM on inside Microsoft. Publishing the records is not enough; there’s a final step in Microsoft’s security portal where you enable signing.

So: publish two CNAMEs in your DNS host, then go into Microsoft and turn DKIM on.

Step 1 — Get the two record values from Microsoft

1. Sign in as an administrator and open the Microsoft security portal at security.microsoft.com.
2. Go to the Email & collaboration area and find Policies & rules → Threat policies → Email authentication settings → DKIM (Microsoft occasionally moves these labels around — look for DKIM under the email authentication or anti-spam settings).
3. Select your domain.
4. Microsoft will show you the two records you need to create. They look like this, with your own domain and unique codes filled in:
   • Host 1: selector1._domainkey → points to selector1-<your-domain>._domainkey.<your-tenant>.onmicrosoft.com
   • Host 2: selector2._domainkey → points to selector2-<your-domain>._domainkey.<your-tenant>.onmicrosoft.com
5. Copy both target values exactly. You cannot make these up — Microsoft generates them for your tenant.

Step 2 — Publish the two CNAMEs in your DNS host

First, make sure you’re working in the company that actually runs your DNS. The records only work if added wherever your domain’s nameservers point. If unsure, check the Nameservers section in your registrar account, or ask whoever manages your website.

1. Sign in to your DNS host and open the DNS settings for your domain (look for DNS / Records / Advanced DNS).
2. Add a new record and choose CNAME (not TXT — this is the part people get wrong).
3. For the first record, in the Name / Host field enter only selector1._domainkey. Do not add your domain on the end; the DNS host appends it automatically.
4. In the Value / Points to / Target field, paste Microsoft’s first target, e.g. selector1-<your-domain>._domainkey.<your-tenant>.onmicrosoft.com.
5. Repeat for the second record: Name = selector2._domainkey, Value = Microsoft’s second target.
6. Leave TTL on the default.
7. Save both.

Step 3 — Turn DKIM on, back in Microsoft

Publishing the records isn’t enough — you have to tell Microsoft to start signing.

1. Return to the DKIM page in the Microsoft security portal.
2. Select your domain and switch Sign messages for this domain with DKIM signatures to On (the toggle may be labelled Enable).
3. Microsoft checks that the two records are visible in your DNS. If it can’t find them yet, give DNS a little time to propagate (minutes to a couple of hours) and try again.

Quirks people get wrong

• CNAME, not TXT. Microsoft’s DKIM uses two CNAME records that point back to Microsoft. Trying to paste a TXT public key (the way other providers do it) will not work here.
• Both records, then the toggle. You need selector1 and selector2 published, then the enable step inside Microsoft. Skipping the toggle means the records exist but Microsoft never signs your mail.
• Don’t put the full domain in Host. Enter only selector1._domainkey / selector2._domainkey — the rest is added for you. Including your domain again creates a broken host like selector1._domainkey.yourdomain.com.yourdomain.com.
• Paste the targets exactly. The onmicrosoft.com targets contain your tenant name and unique codes — one wrong character and DKIM won’t validate.
• Watch the quoting. A CNAME target is a plain host name; don’t wrap it in "...". Quote marks belong on TXT records, not CNAMEs.
• Give it time. DNS changes can take minutes to a couple of hours before Microsoft can confirm and DKIM starts validating.

Verify it worked

After publishing both records, turning DKIM on, and allowing a little propagation time, run the free check on Defaults.Exposed. It will confirm in plain language whether your DKIM is published and readable. Your data is processed in the EU.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.