What is DKIM?
How DKIM signing proves your email is authentic — and how to check it is working for Microsoft 365 and other senders.
DKIM in plain language
DomainKeys Identified Mail (DKIM) adds a cryptographic signature to outgoing messages. Receiving servers verify the signature against a public key published in your DNS. If it matches, they know the message was not tampered with in transit and likely came from your mail platform.
How it differs from SPF
SPF lists which servers may send mail for your domain. DKIM signs individual messages. You need both — plus DMARC — for strong authentication. SPF alone does not protect against forwarding quirks; DKIM helps there when configured correctly.
Microsoft 365 setup
In the Defender portal or Exchange admin, enable DKIM for each domain, then publish the two CNAME records Microsoft provides. Keys rotate — do not delete old selectors until Microsoft confirms the new ones are active.
Verify after changes
Send a test message to a personal Gmail account and view original headers, or use an email authentication checker. Failed DKIM often means a missing CNAME, wrong selector, or a third-party sender not included in your overall mail strategy.
Try it now
Run the related tools
Need a hand?
Run the tools. Then talk to us.
Use our free diagnostics to see what is wrong, then get Melbourne IT support for the fix.
Keep reading
More guides
Fix SPF for Microsoft 365
Stop legitimate email bouncing or landing in spam by getting your SPF record right for Microsoft 365.
- Why SPF matters
- The Microsoft 365 include
Set up DMARC for your business
Move from none to quarantine with a policy that protects your domain from spoofing without breaking legitimate mail.
- What DMARC actually does
- Start with monitoring