---
title: "Configuring DKIM to sign mail from your Microsoft 365 domain | DuoCircle"
description: "Configuring DKIM to sign mail from your Microsoft 365 domain."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/"
---

Quick Answer

Configuring DKIM in Microsoft 365 differs from most other systems because Microsoft 365 publishes the public key as CNAME records, not TXT records. For MOERA users (.onmicrosoft.com domains), Microsoft handles DKIM with 2048-bit keys automatically. For custom domains, Microsoft signs mail by default but the signing domain must match the From domain for DMARC to align. To enable DKIM signing on a custom domain: confirm the domain appears on the DKIM tab at security.microsoft.com/authentication, navigate Defender > Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM, click the custom domain, toggle 'Sign messages for this domain with DKIM signatures' on. The error box shows the two CNAME records to publish (selector1.\_domainkey and selector2.\_domainkey, each pointing at the corresponding selector at the .onmicrosoft.com initial domain). Publish both at the registrar and wait for propagation. Two operational rules: use a subdomain for third-party bulk senders so their reputation issues don't affect your main domain, and don't publish DKIM records for parked domains (it lets attackers forge them). Each domain needs its own DKIM configuration.

Configuring DKIM to sign mail from your Microsoft 365 domain

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/06/Configuring-DKIM-to-sign-mail-from-your-Microsoft-365-domain.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fconfiguring-dkim-sign-mail-from-your-microsoft-365-domain%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Configuring%20DKIM%20to%20sign%20mail%20from%20your%20Microsoft%20365%20domain&url=undefined%2Fblog%2Femail-security%2Fconfiguring-dkim-sign-mail-from-your-microsoft-365-domain%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fconfiguring-dkim-sign-mail-from-your-microsoft-365-domain%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fconfiguring-dkim-sign-mail-from-your-microsoft-365-domain%2F&title=Configuring%20DKIM%20to%20sign%20mail%20from%20your%20Microsoft%20365%20domain "Share on Reddit") [ ](mailto:?subject=Configuring%20DKIM%20to%20sign%20mail%20from%20your%20Microsoft%20365%20domain&body=Check out this article: undefined%2Fblog%2Femail-security%2Fconfiguring-dkim-sign-mail-from-your-microsoft-365-domain%2F "Share via Email") 

![Configuring DKIM](https://media.mailhop.org/duocircle/images/2024/06/spf-record-4532.jpg) 

The main purpose of [DKIM](/resources/what-is-dkim) is to verify whether a malicious entity tampered with **email content** in transit. _To ensure this, a pair of public and private keys are produced for your domain and used by the source email systems to **digitally sign the headers** of outgoing messages._ This [digital signature](/email-security/distinction-between-2-crucial-aspects-of-email-security/) remains valid until intermediate email systems modify the signed part. _The d= value represents the signing domain in the header field._

The [public key](https://www.techtarget.com/searchsecurity/definition/public-key) corresponding to your domain is stored as a **CNAME record** in Microsoft 365\. Please note that most other email systems save them as a TXT record. 

The recipients’ email servers use the [d= value in the header](https://www.heficed.com/kb/abuse/email-headers) field to identify the signing domain and find your **domain’s DKIM public key** in the DNS. After retrieving the public key, both private and public keys are matched, DKIM passes if the keys align; otherwise, it fails. 

[![DKIM authentication](https://media.mailhop.org/duocircle/images/2024/06/DKIM-validation-1.jpg)](https://media.mailhop.org/duocircle/images/2024/06/DKIM-validation-1.jpg)

## General facts about DKIM

Here are two general yet **important facts** about DKIM-

1. _The DKIM signing domain does not need to match the domain in the MAIL FROM or FROM addresses in the email_; they **can be different**.
2. An email **can have multiple signatures** by different domains. Many [hosted email services](/content/hosted-email-services) first sign messages using their own domain. After the customer sets up DKIM signing for their domain, the messages are signed again using the customer’s domain.

## DKIM in Microsoft 365 based on your email domain

### For MOERA users

_**Microsoft itself** takes care of public keys for Microsoft Online Email Routing Address or MOERA domains._ There will be a 2048-bit pair of public and private keys, and all the outgoing emails are signed using the respective [private key](https://www.1kosmos.com/authentication/private-key/). 

However, you are **free to manually set up DKIM** signing using the .onmicrosoft.com domain.

### For custom domain users

Microsoft **automatically signs all the outgoing emails**, however, there are still a few things that you need to take care of-

- For DKIM to pass [DMARC validation](/email-security/what-is-dkim-alignment-how-does-it-impact-dmarc/), the domain signing the message and the [domain in the From address](https://www.streak.com/post/what-is-an-email-domain) **must match**.
- For third-party [email services](https://techcrunch.com/2024/03/14/proton-mail-desktop-mac-windows-linux-premium-paying-users/) (like bulk email services), use a subdomain instead of your main domain. This prevents issues with these services from affecting your main domain’s reputation. _Remember, each domain has to have **its own DKIM** configuration._
- _Do not publish DKIM records for registered but [unused (parked) domains](https://www.designrush.com/agency/web-development-companies/trends/what-is-parked-domain)._ This **prevents forged domains** from passing [DKIM validation](/resources/dkim-validation).
- To fully protect your custom domains, **configure SPF and DMARC** along with DKIM as part of your [email authentication](/resources/email-authentication) strategy.

## Configuring DKIM signing in Microsoft 365

When you turn on DKIM signing using a custom domain, the signing process switches from using the **.onmicrosoft.com domain to the custom domain**. You may use a [custom domain](https://www.shortstack.com/blog/what-is-a-custom-domain-and-why-you-should-use-one-for-your-next-campaign) or subdomain for this process only when the domain is added to Microsoft 365\. 

To follow the steps mentioned below, you need to first check that the custom domain or subdomain is **appearing on the DKIM** tab of the [email authentication page](https://security.microsoft.com/authentication?viewid=DKIM).

You will come across a details flyout, where you need to ensure the following-

- The ‘**Sign messages for this domain with DKIM signatures**’ toggle is set to ‘**Disabled**.’
- The ‘**Status**’ value should be ‘**Not signing DKIM signatures for this domain**.’
- The ‘**Create DKIM keys**’ option should not be there.
- The ‘**Rotate DKIM keys**’ box should be there, but it should be grayed out.

Move to the next steps if all is fine in the details flyout.

1. Go to the Defender portal.
2. Choose **Email & collaboration > Policies & rules > Threat policies > Email authentication settings** page.
3. Click on the ‘**DKIM**’ tab, followed by selecting the custom domain to configure by clicking anywhere in the row except the check box next to the name.
4. There will be a details flyout where you have to select the ‘**Sign messages for this domain with DKIM signatures**’ toggle that is currently set to **Disabled**. Also, note the ‘**Last checked date**.’
5. An error box will appear containing the values you have to use in the two [CNAME records](https://en.wikipedia.org/wiki/CNAME%5Frecord) you create at the domain registrar.

We are considering an example where the **custom domain is ‘testing.com’** and the initial domain for Microsoft 365 is ‘testing.onmicrosoft.com.’ As per this example, you will see the following error message-

`Microsoft.Exchange.ManagementTasks.ValidationException|CNAME record does not exist for this config. Please publish the following two CNAME records first. Domain Name: testing.com Host Name:selector1._domainkey Points to address or value: selector1-testing-com._domainkey.testing.onmicrosoft.com Host Name:selector2._domainkey Points to address or value:selector2-testing-com._domainkey.testing.onmicrosoft.com.`

`If you have already published the CNAME records, sync will take a few minutes to as many as 4 days based on your specific DNS. Return and retry this step later.`

So, you need to create the following CNAME records for the testing.com domain.

**Hostname**: `selector1._domainkey`

**Points to address or value**: `selector1-testing-com._domainkey.testing.onmicrosoft.com`

**Hostname**: `selector2._domainkey`

**Points to address or value**: `selector2-testing-com._domainkey.testing.onmicrosoft.com`

Copy the information from the error dialog and click ‘**OK**.’

Leave the domain details flyout open.

[![domain registrar’s platform](https://media.mailhop.org/duocircle/images/2024/06/sender-policy-framework-7326.jpg)](https://media.mailhop.org/duocircle/images/2024/06/sender-policy-framework-7326.jpg)

1. Open a new browser tab or window and go to your [domain registrar’s platform](https://cryptonews.com/news/on-chain-domains-expand-usability-of-web2-platforms.htm). There, you have to **create two CNAME records** using the details from the last step.
2. Wait for a few minutes; let [Microsoft](/email-services/microsofts-daily-limit-for-exchange-online-bulk-emails-to-combat-spam/) take its time to detect the newly created CNAME records.
3. Return to the details flyout you left open in the 5th step. Select the ‘**Sign messages for this domain with DKIM signatures**’ toggle.

Just within a few seconds, a dialog box will open in which you have to click ‘**OK**’ to close it. Then there will be a details flyout where you have to check the following-

- The ‘**Sign messages for this domain with DKIM signatures toggle**’ is set to ‘**Enabled**.’
- The ‘**Status**’ value should be ‘**Signing DKIM signatures for this domain**.’
- The ‘**Rotate DKIM keys**’ box should be there without being grayed out.
- The ‘**Last checked date**’ should be more recent than what you noted in the fourth step.

## Use the Defender portal to customize DKIM using the .onmicrosoft.com domain

Although the initial .onmicrosoft.com domain automatically signs all outgoing emails with DKIM, you can use the below-mentioned process to **configure it as per your preferences**\-

1. Produce a pair of **DKIM keys** and add them to the [Microsoft 365 data centers](https://www.microsoft.com/en-us/microsoft-365/blog/2024/03/07/data-residency-in-the-ai-era-new-capabilities-to-manage-your-data/).
2. Check and ensure the properties of the .onmicrosoft.com domain correctly show in the details flyout of the domain on the DKIM tab of the ‘**Email authentication**’ settings.

Ensure the details flyout has the following:

- The ‘**Sign messages for this domain with DKIM signatures’** toggle is not visible.
- The ‘**Status**’ value should be ‘**No DKIM keys saved for this domain**.’
- The ‘**Create DKIM keys**’ box should be available.

Move to the next steps if all is fine in the details flyout.

1. Go to the [Defender portal](https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-defender-portal).
2. Choose **Email & collaboration > Policies & rules > Threat policies > Email authentication settings** page\*\*.\*\*
3. Click on the **DKIM** tab, followed by selecting the .onmicrosoft.com domain to configure by clicking anywhere in the row except the check box next to the name.
4. A details flyout will open, select ‘**Create DKIM keys**.’
5. When the [DKIM key generation](/resources/dkim-generator) process is done, the ‘**Publish CNAMEs**‘ dialog will open. Select ‘**Close**.’

Here, you don’t have to copy the values as you can’t create the CNAME records for the [.onmicrosoft domain](https://cloudacademy.com/course/setting-up-and-managing-a-microsoft-365-tenant/understanding-the-onmicrosoft-com-domain/).

1. After you hit the ‘**Close**’ button, you will be back on the domain details flyout. Here, you turn on the ‘**Sign messages for this domain with DKIM signatures**’ toggle.
2. Once done, click ‘**Close**.’

## Rotating DKIM keys for a custom domain in the Defender portal

1. Go to the Defender portal.
2. Choose **Email & collaboration > Policies & rules > Threat policies > Email authentication settings** page\*\*.\*\*
3. Click on the **DKIM** tab, then select the domain to configure by clicking anywhere in the row except the check box next to the name.
4. A details flyout will open; select ‘**Rotate DKIM keys**.’
5. Ensure the details flyout has the following values
- The ‘**Status**’ should be ‘**Rotating keys for this domain and signing DKIM signatures**.’
- The ‘**Rotate DKIM keys**’ box should be grayed out.

6\. _**After four days** (96 hours), the new DKIM key will start signing outbound messages for the custom domain._ During this period, the current DKIM key remains in use. You’ll know the new DKIM key is active when the ‘**Status**’ changes from ‘**Rotating keys for this domain and signing DKIM signatures**’ to ‘**Signing DKIM signatures for this domain**.’

To verify the corresponding public key used to authenticate the DKIM signature (indicating the private key that signed the message), check the **s= value in the DKIM-Signature** header field (the [DKIM selector](/resources/dkim-selector); for example, s=selector1-testing-com).

## Disabling DKIM keys for a custom domain in the Defender portal

1. Go to the Defender portal.
2. Choose **Email & collaboration > Policies & rules > Threat policies > Email authentication settings** page\*\*.\*\*
3. Click on the **DKIM** tab, then select the domain to configure by clicking anywhere in the row except the check box next to the name.
4. A details flyout will open; turn off the ‘**Sign messages for this domain with DKIM signatures**’ toggle.

## Final words

Remember to **pair DKIM** with [SPF](/content/spf-record-check) and DMARC for optimum protection against [email spoofing](https://techcrunch.com/2024/06/18/security-bug-allows-anyone-to-spoof-microsoft-employee-emails/) and phishing. If you need help with [email security](/), authentication, and reporting, [reach out to us](/contact).

## Topics

DKIMDMARCemail securityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Email Security 3m  Learning to perform SPF delegation for enhanced email delivery  Jul 24, 2024 ](/blog/email-security/learning-to-perform-spf-delegation-for-enhanced-email-delivery/)[  Email Security 8m  A roundup of TLDs that were the prime target of cyber attackers in 2024  Nov 19, 2024 ](/blog/email-security/prime-tlds-targeted-by-cyber-attackers-in-2024-roundup/)[  Email Security 8m  Designing A Custom Dkim Architecture For High-Volume Email Senders  Apr 28, 2026 ](/blog/designing-custom-dkim-architecture-for-high-volume-email-senders/)[  Email Security 12m  DMARC, SPF, and DKIM in 2026: Why Email Authentication Is Now a Regulatory Requirement, Not Just a Best Practice  Apr 29, 2026 ](/blog/dmarc-spf-dkim-2026-email-authentication-regulatory-requirement-best-practice/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Configuring DKIM to sign mail from your Microsoft 365 domain","description":"Configuring DKIM to sign mail from your Microsoft 365 domain.","url":"https://www.duocircle.com/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/","datePublished":"2024-06-27T12:19:30.000Z","dateModified":"2025-04-22T13:39:45.000Z","dateCreated":"2024-06-27T12:19:30.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, Updates","wordCount":1531,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/06/spf-record-4532.jpg","caption":"Configuring DKIM","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"Configuring DKIM to sign mail from your Microsoft 365 domain","item":"https://www.duocircle.com/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Configuring DKIM to sign mail from your Microsoft 365 domain","item":"https://www.duocircle.com/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Configuring DKIM to sign mail from your Microsoft 365 domain","description":"Configuring DKIM to sign mail from your Microsoft 365 domain.","url":"https://www.duocircle.com/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/","datePublished":"2024-06-27T12:19:30.000Z","dateModified":"2025-04-22T13:39:45.000Z","dateCreated":"2024-06-27T12:19:30.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, Updates","wordCount":1531,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/06/spf-record-4532.jpg","caption":"Configuring DKIM","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```