Setup DKIM for Exchange Online

How-To Technology
Microsoft Exchange

Domain Keys Identified Mail (DKIM) is an email security standard that was published in 2011 and is used to cryptographically sign email. A private key is stored on the mail server and a 1024-bit or 2048-bit public key is stored in DNS. While it is now possible to use EdDSA for DKIM instead of RSA per RFC8463, it is not widely supported yet.

Unlike Google Workspace where you are able to set your own DKIM selector and then generate a 1024-bit or 2048-bit public key to build your DKIM TXT record, Microsoft has a very specific format you must use to create your DNS records. Once those are created you can either enable DKIM in the Classic Exchange Admin Center under the Protection module and then the DKIM tab (this feature is not available in the new Exchange Admin Center, nor will it be), or in the new Microsoft 365 Security Center under Policies & Rules –> Threat policies –> DKIM.

However, you can also enable DKIM via PowerShell for those of you who prefer command line over UI (instructions below). Sometimes this is actually necessary when DKIM isn’t enabled in Exchange Online at all for a particular domain.

Creating the DNS Records

As I stated above, Microsoft has a very specific format it wants you to use to create your DNS records. You can’t set or change these and they are based on your Microsoft Tenant Domain (the subdomain before .onmicrosoft.com). For purposes of this example we’re going to assume that your email domain name is xyz.com and your Microsoft Tenant Domain is xyz365.onmicrosoft.com. Using those domains your DKIM records would be constructed as follows:

selector1._domainkey.xyz.com IN CNAME selector1-xyz-com._domainkey.xyz365.onmicrosoft.com

selector2._domainkey.xyz.com IN CNAME selector2-xyz-com._domainkey.xyz365.onmicrosoft.com

You’ll note that the format of both these records are:

selector[1,2]._domainkey.yourdomain.tld

And that each record must point to a corresponding record at Microsoft via a CNAME in the format:

selector[1,2]-domainname-tld._domainkey.tenantdomain.onmicrosoft.com

Enabling DKIM

Navigate to the Microsoft 365 Security Center, click on Policies & Rules –> Threat policies –> DKIM. All of your domains, including your tenant domain are listed here. Click on the domain itself (not the radio button to the left) and it will open a right-hand bar allowing you to enable DKIM.

Using PowerShell

If you prefer to use PowerShell, or if you are unable to enable DKIM via the Classic Exchange Admin Center or the Microsoft 365 Security Center, you can enable DKIM via PowerShell by following the steps below.

## Ensure all downloads are signed by a trusted publisher ##
Set-ExecutionPolicy RemoteSigned

## Install the Exchange Online Management Module ##
Install-Module -Name ExchangeOnlineManagement

## Import the Exchange Online Module ##
Import-Module ExchangeOnlineManagement

## Connect to the Exchange Tenant ##
Connect-ExchangeOnline -UserPrincipalName {username} -ShowProgress $true

## Set DKIM Signing for the domain to be false ##
New-DkimSigningConfig -DomainName {domain} -Enabled $false

## Set the DKIM CNAME Selectors ##
Get-DkimSigningConfig -Identity {domain} | fl Selector1CNAME, Selector2CNAME

## Enable DKIM ##
Set-DkimSigningConfig -Identity {domain} -Enabled $true

## Disconnect Session ##
Disconnect-ExchangeOnline

Related Posts