How to Set Up DKIM for Microsoft Office 365?

Why should you consider configuring an Office 365 DKIM setup? The answer is simple, Microsoft recommends a DKIM record to sign your outbound emails digitally so that they don't get tampered with or accessed by threat actors in the process of being transferred. Enabling O365 DKIM is an essential step to ensure your email's security. 

Creating Office 365 DKIM keys on the Microsoft 365 Defender portal 

Note: Previously, the DKIM office 365 configuration was carried out using the O365 Exchange Online portal. However, with improvements that were underway pertaining to Microsoft’s security processes, the DKIM configuration process has been up and moved to the Microsoft 365 Defender portal. 

Today we are going to discuss how you can enable DKIM Office 365 by using the new and improved Office 365 Defender. Follow the instructions given below:

• Login to your Defender account. You can use the link provided above. 
• On the portal, navigate and click on Policies & rules under Email & Collaboration
• On the Policies & rules page, select Threat policies

• Now select DomainKeys Identified Mail(DKIM) to open the DKIM page
• On the DKIM page, select the domain you want to enable DKIM for (this is the domain you use to send outbound messages) 

• You can now toggle the Enable button to start the activation process for DKIM. A dialogue box will appear which may contain the following status:

This isn’t something you should worry about. Simply click on the Create DKIM keys button to view your keys. 

• A pop-up will now display your DKIM CNAME records 

Click on the blue “Copy” button to copy records to your clipboard

Publishing your Office 365 DKIM CNAME records: 

1. Login to your DNS provider’s management console as the admin
2. Navigate to the DNS records section 
3. Create new CNAME records (Record type: CNAME)
4. Paste the copied hostnames and values, as provided on the Defender portal
5. Keep TTL as 3600
6. Save changes to your record and wait for 24-48 hours for your DNS to process these changes 

Note: The process for publishing DNS records varies depending on which DNS hosting provider you use. The time it takes to activate the records also depends on the same. 

Enabling the Microsoft 365 DKIM keys on your Defender account

After you are done publishing the records on your DNS, head back to the DKIM page on your Defender portal and toggle the “Enable” option.

DKIM couldn’t be enabled: CNAME records were not found

If an error persists and DKIM couldn’t be enabled for your domain on Microsoft’s Defender portal, follow these steps: 

• Lookup your published DKIM record using our DKIM record lookup tool to see if it is valid and error-free
• Your DNS might be taking some time to save changes. Wait for at least 48 hours before verifying your setup. 
• Cross-check your DKIM record’s syntax to ensure there are no inconsistencies like redundant spaces or special characters 
• Get in touch with your DNS hosting provider to discuss the issue 
• Get in touch with Microsoft’s support team to seek advice on the same 

How to disable DKIM for Office 365?

You can disable DKIM for Office 365 with a single click on the Defender portal.

 Simply head to Email & collaboration > Policies & rules > Threat policies > DomainKeys Identified Mail(DKIM) 

On the DKIM page toggle the “Enable” button to disable the protocol. 

Note: DKIM verification can help you better authenticate messages during special cases like email forwarding where SPF may fail. Keeping DKIM enabled for your domains is considered a good email practice and is highly recommended by Microsoft.