Last week, we covered how to enable SPF records to prevent spammers from spoofing your domain. DKIM, or DomainKeys Identified Mail, provides another layer of protection against spammers by signing all outgoing messages with a private key. Receiving mail servers can then verify that signature to know that the message came from your organization.
Setting up DKIM on Office 365 is as simple as adding a few DNS records, and then enabling it in the admin center. Follow the steps below to enable DKIM on a custom domain.
Setting up the CNAME Records
First, you’ll need to configure two CNAME records for your domain name. To set these up, you’ll need two things: your domain GUID, and your Office 365 initial domain.
The domain GUID can be found by taking your domain name, and replacing the dots with dashes, like so:
Contoso.com -> contoso-com
Your initial domain is the subdomain of onmicrosoft.com that was configured when you first set up Office 365. For example, contoso.onmicrosoft.com
Then, using those items, you can generate the CNAME records that will be used by DKIM. Those are:
Points to: selector1-._domainkey.
Points to: selector2-._domainkey.
For our contoso.com example, these records would look like:
Points to: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
To create a CNAME record, log in to your domain host’s website, and look for DNS configuration. There, you can add subdomains with the above CNAME records.
Enable DKIM in Office 365
Once your CNAME records are created, you can enable DKIM for the domain in the Office 365 admin center.
First, log in to Office 365 with your administrative account, then click the app launcher in the upper right-hand corner, and choose Admin.
From there, browse to Protection > dkim
Select your domain and choose Enable under “Sign messages for this domain with DKIM signatures”.
Verify DKIM is Working on Your Domain
After you’ve enabled DKIM, wait a few minutes for the settings to replicate, then send yourself an email from your Office 365 mailbox to an outside email provider, like Hotmail or Gmail.
Once you receive the message, open the message headers. (In Gmail, this is the option “Show original” in the menu near the top of the message).
Look for the “Authentication-Results” header. You should see something similar to “DKIM=pass” or “DKIM=ok”, depending on the email provider you are using. If you do, then great! You’re all set to protect your company from spoofed emails.