How to Set Up DKIM in Microsoft 365 (Office 365)

Complete DKIM setup guide for Microsoft 365 (Office 365 / O365) domains with selector1 and selector2 configuration.

Published: 2026-01-21 | Updated: 2026-01-27 | Read time: 6 min

Key Takeaways

• Microsoft 365 uses two CNAME records (selector1 and selector2) for key rotation
• You need Exchange Online admin access to enable DKIM signing
• Add CNAME records to DNS first, then enable in Microsoft 365
• Microsoft auto-rotates keys—no manual maintenance needed
• Custom domains require additional configuration vs default onmicrosoft.com

Before You Start

This guide covers DKIM setup for Microsoft 365 (formerly Office 365). You'll need:

• Microsoft 365 admin access (admin.microsoft.com)
• DNS access for your domain
• 15 minutes to complete

Microsoft 365 DKIM Overview

Microsoft 365 uses CNAME records instead of TXT records for DKIM. You create two CNAME records that point to Microsoft's DKIM signing infrastructure. Why CNAME? Microsoft manages the actual DKIM keys. If they need to rotate keys, you don't need to update your DNS.

Step 1: Get Your DKIM CNAME Records

Microsoft 365 requires two CNAME records per domain. The format is:

Selector 1

| Field | Value | |-------|-------| | Type | CNAME | | Name | selector1._domainkey | | Points to | selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |

Selector 2

| Field | Value | |-------|-------| | Type | CNAME | | Name | selector2._domainkey | | Points to | selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com |

Finding Your Exact Values

1. Go to admin.microsoft.com 2. Navigate to Settings → Domains 3. Select your domain 4. Click DNS records 5. Look for the DKIM CNAME records Or go directly to the Microsoft 365 Defender portal: 1. Visit security.microsoft.com 2. Navigate to Email & collaboration → Policies & rules → Threat policies 3. Click Email authentication settings → DKIM 4. Select your domain to see the required records

Step 2: Add CNAME Records to DNS

Add both CNAME records to your domain's DNS:

Example for yourdomain.com

Record 1: `` Type: CNAME Name: selector1._domainkey Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com TTL: 3600 ` Record 2: ` Type: CNAME Name: selector2._domainkey Value: selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com TTL: 3600 `

Provider Examples

Cloudflare: 1. DNS → Add Record 2. Type: CNAME 3. Name: selector1._domainkey (just the subdomain part) 4. Target: (the full Microsoft value) 5. Proxy status: DNS only (gray cloud) 6. Repeat for selector2 GoDaddy: 1. DNS Management → Add 2. Type: CNAME 3. Host: selector1._domainkey 4. Points to: (the full Microsoft value) 5. Repeat for selector2 ⚠️ Important: Make sure the "Name" field only includes selector1._domainkey` — your DNS provider automatically appends your domain.

Step 3: Enable DKIM in Microsoft 365

After DNS propagation (can take up to 48 hours), enable DKIM:

Via Microsoft 365 Defender

1. Go to security.microsoft.com 2. Navigate to Email & collaboration → Policies & rules → Threat policies 3. Click Email authentication settings 4. Select DKIM 5. Select your domain 6. Toggle Sign messages for this domain with DKIM signatures to Enabled

Via Exchange Online PowerShell

If you prefer command line: ``powershell

Connect to Exchange Online

Connect-ExchangeOnline

Enable DKIM for your domain

Set-DkimSigningConfig -Identity yourdomain.com -Enabled $true

Verify status

Get-DkimSigningConfig -Identity yourdomain.com | Format-List ``

Step 4: Verify DKIM is Working

Check with MailRisk

Scan your domain to verify DKIM is properly configured.

Send a Test Email

1. Send an email from Microsoft 365 to Gmail 2. In Gmail, click the three dots → "Show original" 3. Look for: `` dkim=pass header.i=@yourdomain.com header.s=selector1 `

Check DKIM Headers Directly

In the email source, you should see: ` DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourdomain.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xxxx; b=xxxx ``

Troubleshooting

"CNAME record not found"

• Wait longer for DNS propagation (up to 48 hours)
• Verify the exact CNAME values from Microsoft 365 admin
• Check for typos — the values are long and easy to mis-copy
• Ensure your DNS provider isn't adding extra characters

"DKIM key not available"

This usually means:

• The CNAME records aren't properly configured
• Microsoft hasn't provisioned your DKIM keys yet
• Try waiting 24 hours and enabling again

DKIM Fails After Working

• Check if CNAME records were deleted
• Verify domain is still properly configured in Microsoft 365
• Contact Microsoft support if keys need regeneration

Multiple Domains

Each custom domain needs its own pair of CNAME records. The selectors are the same (selector1, selector2), but the values include your specific domain and tenant.

Microsoft 365 DKIM FAQ

Why does Microsoft use CNAME instead of TXT records?

CNAME records let Microsoft manage key rotation automatically. When they update keys, you don't need to change your DNS.

Do I need both selector1 and selector2?

Yes. Microsoft uses two selectors to enable seamless key rotation. Both should be configured.

What about the default Microsoft domain?

Your *.onmicrosoft.com domain has DKIM enabled by default. Custom domains require manual setup.

My domain was working, now DKIM fails?

Microsoft may have rotated keys. Verify your CNAME records still point to the correct Microsoft addresses. The selector values shouldn't change, but verify in the admin console.

How do I know which selector is active?

Check the email headers. The s= value in the DKIM-Signature shows which selector signed the email (usually selector1, switching to selector2 during rotation).