How to Set Up DKIM Record for Microsoft?
Setting up DKIM (DomainKeys Identified Mail) for your Microsoft-hosted domain is a crucial step to improve your email deliverability. DKIM helps mailbox providers verify that emails sent from your domain are authentic and haven’t been tampered with—directly increasing your chances of landing in the inbox. Here’s a step-by-step guide specifically tailored for users of MailOptimal looking to secure their Microsoft-based email sending.
What Is DKIM?
DKIM adds a digital signature to your outgoing email messages. Receiving mail servers check this signature to confirm the mail is really from your domain and hasn’t been altered in transit. Setting up DKIM is a best practice for all modern emailing and is often a requirement to pass deliverability tests in MailOptimal.
Step 1: Access DKIM Settings in Microsoft 365
Log in to the Microsoft 365 Defender portal as a global administrator.
Go to Email & collaboration > Policies & rules > Threat policies.
Under Policies, click on DKIM.
Step 2: Obtain Your DKIM CNAME Records
In the DKIM section, select the custom domain you want to configure (e.g., yourcompany.com).
You will be shown two CNAME records:
Each will look like this:
selector1._domainkey.yourcompany.com
→ points to a Microsoft-provided value, such asselector1-yourcompany-com._domainkey.<initialdomain>.onmicrosoft.com
selector2._domainkey.yourcompany.com
→ points to a similar Microsoft-provided value
Note: The actual CNAME target values will be shown in your Microsoft admin console and are unique for each domain.
Step 3: Add CNAME Records to Your Domain's DNS
Log in to your DNS control panel (where you manage your domain, usually your registrar or web host).
For each selector shown in Microsoft, create a new CNAME record:
Name/Host:
selector1._domainkey
(andselector2._domainkey
)Type: CNAME
Value/Points to: Copy the exact destination provided by Microsoft for each selector.
TTL: Set to 1 hour (3600) or leave as default.
Example:
Host/Name | Type | Points To/Value |
---|---|---|
selector1._domainkey.yourdomain.com | CNAME | selector1-yourdomain-com._domainkey.[yourinitial].onmicrosoft.com |
selector2._domainkey.yourdomain.com | CNAME | selector2-yourdomain-com._domainkey.[yourinitial].onmicrosoft.com |
Step 4: Enable DKIM Signing in Microsoft 365
Return to the DKIM settings in your Microsoft 365 Admin portal.
For your domain, click Enable next to "Sign messages for this domain with DKIM signatures".
Within a few minutes to a few hours (once DNS changes propagate), Microsoft 365 will begin adding DKIM signatures to outgoing mail.
Step 5: Verify Your DKIM Setup
Use MailOptimal’s DKIM verification tool or any reputable DKIM checker.
Send a test email from your Microsoft 365 mailbox to an external account.
Check the email headers for the line
DKIM=pass
.
If you see a successful pass result, your DKIM is working and mail sent from your domain will benefit from improved authenticity and deliverability.
Troubleshooting Tips
DNS Propagation: CNAME records may take up to 24–48 hours to fully propagate, but changes usually work within a couple of hours.
Typo Errors: Ensure hostnames and targets are entered exactly as shown. Typos will break DKIM.
Duplicate Keys: Don’t create more than one key or set of selectors per domain unless necessary.
MailOptimal Checks: Use the deliverability testing tools in MailOptimal to confirm correct setup after enabling DKIM.
Why Use DKIM in MailOptimal?
Enhances inbox placement
Reduces the risk of spoofing and phishing
Helps pass important anti-spam tests
By following this guide, you’ll maximize your chances of passing deliverability tests and maintaining a strong reputation for your Microsoft-powered email domain.
If you need step-by-step visuals or run into issues, consult your domain registrar’s documentation or use in-app support within MailOptimal.