DKIM in Office 365

Microsoft has implemented DKIM, DMARC and SPF in Exchange Online, the only thing you have to do is enable it. The only thing for DKIM you have to do is create two CNAME records in DNS and enable DKIM in the Exchange Admin Center.

DKIM CNAME records

The CNAME records you have to create for DKIM look like this:

Selector1 and selector 2 are the 2 selector tags (in Office 365 these will always be selector1 and selector2), the _domainkey is a default tag that will be added. Of course you have to replace the with your own domain.

The CNAME records have to point to the following locations:

the ‘contoso-com’ (also referred to as DomainGUID) is the same as your MX record so you can copy-and-paste it from there. The ‘’ is your Office 365 tenant name.

So, for my environment (tenant name is this will be CNAME


You can use the MXTOOLBOX site to check your DKIM selector records:


The second step is to enable DKIM in the Exchange Admin Center. In the Exchange Admin Center select Protection and select the dkim tab. Select the domain you want to enable DKIM for and in the action pane click on Enable:


All information is stored in Office 365 so there’s no need to create a keypair and store the public key in DNS, everything is handled by Microsoft. Sweet Smile

For more information you can check the Use DKIM to validate outbound email sent from your custom domain in Office 365 article on Microsoft Technet

2 thoughts on “DKIM in Office 365”

    1. Yes, this specific example applies to EXO only. If you have a hybrid configuration with mailboxen on-premises and in EXO you will have two break-out points. Mail will be sent from EXO and from Exchange on-premises. If so you have to enable DKIM on both sides, with different selectors. Make sure your SPF record contains both environment as well.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s