Tech Thursday: How To Enable DKIM Signing in Office 365

Tech Thursday: How To Enable DKIM Signing in Office 365

Last week, we covered how to enable SPF records to prevent spammers from spoofing your domain. DKIM, or DomainKeys Identified Mail, provides another layer of protection against spammers by signing all outgoing messages with a private key. Receiving mail servers can then verify that signature to know that the message came from your organization.

Setting up DKIM on Office 365 is as simple as adding a few DNS records, and then enabling it in the admin center. Follow the steps below to enable DKIM on a custom domain.

Setting up the CNAME Records

First, you’ll need to configure two CNAME records for your domain name. To set these up, you’ll need two things: your domain GUID, and your Office 365 initial domain.

The domain GUID can be found by taking your domain name, and replacing the dots with dashes, like so: -> contoso-com

Your initial domain is the subdomain of that was configured when you first set up Office 365. For example,

Then, using those items, you can generate the CNAME records that will be used by DKIM. Those are:


Points to: selector1-<domainguid>._domainkey.<initialdomain>


Points to: selector2-<domainguid>._domainkey.<initialdomain>

For our example, these records would look like:

Points to:

To create a CNAME record, log in to your domain host’s website, and look for DNS configuration. There, you can add subdomains with the above CNAME records.

Enable DKIM in Office 365

Once your CNAME records are created, you can enable DKIM for the domain in the Office 365 admin center.

First, log in to Office 365 with your administrative account, then click the app launcher in the upper right-hand corner, and choose Admin.

From there, browse to Protection > dkim

Select your domain and choose Enable under “Sign messages for this domain with DKIM signatures”.

Verify DKIM is Working on Your Domain

After you’ve enabled DKIM, wait a few minutes for the settings to replicate, then send yourself an email from your Office 365 mailbox to an outside email provider, like Hotmail or Gmail.

Once you receive the message, open the message headers. (In Gmail, this is the option “Show original” in the menu near the top of the message).

Look for the “Authentication-Results” header. You should see something similar to “DKIM=pass” or “DKIM=ok”, depending on the email provider you are using. If you do, then great! You’re all set to protect your company from spoofed emails.


E-N Computers is a leading IT service provider, helping businesses in Virginia, Maryland, and Washington, D.C. to leverage technology for growth and agility. If you’d like to know more about how we can help you to more effectively use Office 365 and other cloud services in your business, contact us today.