2 minutes reading time (487 words)

Configure DKIM in Office 365

Thursday, 06 May 2021

1801 Hits

Step by step guide for admins on how to configure DKIM in Office 365. Configure DKIM using PowerShell, publish DNS CNAME records and verify DKIM is signing message headers

What is DKIM?

Domain Keys Identified Mail (DKIM) is used to encrypt emails and digitally sign message headers using a pair of DKIM keys. The DKIM signature can be used to verify that the email message hasn't been modified. Implementing DKIM improves your email security by protecting messages and allowing mail servers to check that emails were sent by your authorized domain.

1 Check if DKIM is enabled

Microsoft Admin Center
https://admin.microsoft.com

Exchange Admin Center
Protection - DKIM

Status - DKIM not enabled

DKIM configuration will be moving from the Exchange Admin Center so we will use Security & Compliance Center for the rest of this guide

Office 365 Security & Compliance Center
https://protection.office.com

Threat management - Policy - DKIM

Select domain

DKIM is not enabled

2 Create DKIM Signing Policy using PowerShell

Connect to Exchange online PowerShell

New-DkimSigningConfig -Domain planetexpress.live -Enabled $true

The output of the command gives you the DNS CNAME records you need to create

WARNING: The config was created but can't be enabled because the CNAME records aren't published. Publish the following two CNAME records, and then enable the config by using Set-DkimSigningConfig.
selector1-planetexpress-live._domainkey.planetexpresslive.onmicrosoft.com
selector2-planetexpress-live._domainkey.planetexpresslive.onmicrosoft.com

3 Publish DNS CNAME records

Replace the domain and the tenant domain

selector1._domainkey
selector1-yourdomain-com._domainkey.tenantdomain.onmicrosoft.com

Example

selector1._domainkey
selector1-planetexpress-live._domainkey.planetexpresslive.onmicrosoft.com

Check the CNAME record has updated with MX toolbox

https://mxtoolbox.com

4 Enable DKIM signing

Once the DNS changes have propagated you will get the option to enable DKIM in the Security & Compliance Admin Center

Threat management - Policy
Select your domain - Sign messages for this domain

Or you can enable DKIM signing using PowerShell

Check the DKIM signing configuration

Get-DkimSigningConfig -Identity planetexpress.live

Enable DKIM signing

Set-DkimSigningConfig -Identity planetexpress.live -Enabled $true

DKIM has been enabled

5 Check DKIM configuration

MX Toolbox DKIM Record Lookup

You can use MX toolbox to check your DKIM records

https://mxtoolbox.com/dkim.aspx

DKIM checks completed OK

Check email message headers

You can verify that DKIM signing is enabled by checking the email message headers

You can also use Google message Header Analyzer to check DKIM

Google Admin Toolbox Messageheader
https://toolbox.googleapps.com/apps/messageheader/analyzeheader

Tags:

Office 365 DKIM

Comments

No comments made yet. Be the first to submit a comment

You can help support this website by buying me a coffee!

Configure DKIM in Office 365

What is DKIM?

1 Check if DKIM is enabled

2 Create DKIM Signing Policy using PowerShell

3 Publish DNS CNAME records

4 Enable DKIM signing

5 Check DKIM configuration

Related Posts

Download and share Teams live event recordings using Stream

Download Teams meeting recordings from Teams, OneDrive (SharePoint) and Stream

SOLVED: Office 365 - AD Synced user not showing in Exchange Hybrid on-premises

SOLVED: Remote Server returned '420 4.2.0 Recipient deferred because there is no Mdb'

Office 365 - Find who moved or deleted emails in a shared mailbox using PowerShell Search-MailboxAuditLog

Comments