Views:
There are two methods of enabling DKIM for Microsoft. This can be through Microsoft 365 Defender or through PowerShell. Below are the two methods of enabling DKIM.
 
Before getting started in enabling DKIM for Office 365 we first have to create the selectors needed to add to your DNS. There are two main parts that need to be populated into the DKIM key. The rest is standard across the board for Office 365.
  1. We need to identify the customDomainIdentifier. This can be found in your Office 365 MX record. It is the first piece before mail.protection.outlook.com.
  2. We need to identify the initialDomain. This can be found from in your DMARC reports or header of any messages you send from Office 365. This is the .onmicrosoft.com domain for your tenant.
 
We will need to combine both of those parts to form the DKIM records we need to enter. I have an example below how these records should look.
 
ActionDomainDNS TypeHostValue
ADDdomain.comCNAMEselector1._domainkeyselector1-customDomainIdentifier._domainkey.intitialDomain
ADDdomain.comCNAMEselector2._domainkeyselector2-customDomainIdentifier._domainkey.intitialDomain
 
Once the DKIM records have been created, enter them in your DNS so it can begin to propagate globally. If this is not done before enabling DKIM we have to wait until this happens before we can enable DKIM in Office 365.
  1. You can check a DNS record at https://dnschecker.org
 
Microsoft 365 Defender
  1. Login to Microsoft 365 Defender (https://sip.security.microsoft.com/homepage). You can click on the link provided.
  2. In the portal, navigate and click on Policies & rules under Email & collaboration
  3. In Policies & rules page, select Threat polices
  4. Then select DomainKey Identified Mail(DKIM) to open the DKIM page.
  5. On the DKIM page, select the domain you want to enable DKIM for.
  6. You can then toggle the Enable button to start the activation process for DKIM. A dialogue box will appear which may contact the following status:
 
  1. A pop-up will now display with your DKIM CNAME records
 
  1. Rotate the DKIM key to be 2048 bit length (This adds extra security).
 
Publish your Office 365 DKIM CNAME records:
  1. Login to your DNS provider's management console as the admin
  2. Navigate to the DNS records section.
  3. Create new CNAME records (Make sure the record type is CNAME)
  4. Add the hostname and values that was provided in the Defender portal.
  5. Keep TTL as 3600.
  6. Save changes to your record. Wait for about 24 to 48 hours for the DNS records to propagate.
 
Enable DKIM through PowerShell
  1. If the Admin enabling DKIM has never connected to Exchange Online through PowerShell, then install the Exchange Online PowerShell module.
    • Set-ExecutionPolicy RemoteSigned
    • Install-module -Name ExchangeOnlineManagement
 
 
  1. Once you have installed the module, connect to Exchange Online PowerShell.
    • Connect-ExchangeOnline
 
  1. Run the following command to see existing domain ready to enable DKIM.
    • Get-DkimSigningConfig
 
  1. If the domain exists in the list, enable DKIM signing for the domain.
    • Set-DkimSigningConfig -Identity domain.com -Enabled $true
 
If the domain doesn't exist in the list, create and enable it by running the PowerShell command below.
  • New-DkimSigningConfig -DomainName domain.com -KeySize 2048 -Enabled $true
 
  1. Rotate the DKIM key to be 2048-bit length (This adds extra security).
    • Rotate-DkimSigningConfig -KeySize 2048 -Identity domain.com
 
  1. Run the following command to see the current DKIM configuration. Confirm DKIM has been enabled and bit length has been rotated.
    • Get-DkimSigningConfig -Identity domain.com | Format-List
 
  1. Once you have confirmed DKIM has been enabled and bit length has been rotated, verify your message is passing DKIM by sending yourself a test message and analyzing the header of the message.