How to enable DKIM in Microsoft 365
Step-by-step overview for turning on DKIM signing and publishing the DNS records Microsoft requires.
Prerequisites
The domain must be an accepted domain in Exchange Online with valid MX mail flow. You need DNS access at whichever host is authoritative for the domain — registrar, Cloudflare, or web agency.
Enable in the admin centre
In Microsoft Defender for Office 365 or the Exchange admin path for DKIM, select the domain and create the key. Microsoft shows two CNAME records (selectors) to publish. Enable signing only after DNS is live.
Publish DNS records
Add both CNAMEs exactly as shown — no typos in selector names. Wait for propagation, then toggle DKIM to enabled. If you use split DNS providers, confirm public resolvers see the same answers as your checker.
Confirm alignment
Send outbound mail and verify DKIM=pass in headers. Pair with SPF and DMARC. Third-party senders (CRM, ticketing) may need their own DKIM/SPF includes — your Microsoft DKIM alone does not cover them.
Try it now
Run the related tools
Need a hand?
Run the tools. Then talk to us.
Use our free diagnostics to see what is wrong, then get Melbourne IT support for the fix.
Keep reading
More guides
Fix SPF for Microsoft 365
Stop legitimate email bouncing or landing in spam by getting your SPF record right for Microsoft 365.
- Why SPF matters
- The Microsoft 365 include
Set up DMARC for your business
Move from none to quarantine with a policy that protects your domain from spoofing without breaking legitimate mail.
- What DMARC actually does
- Start with monitoring