How to enable DKIM in Microsoft 365 (step-by-step)
The exact admin centre steps to turn on DKIM signing for a custom domain in Microsoft 365 — CNAME records, propagation and how to verify it worked.
Need help with this? Talk to our Microsoft 365 team
Before you start
You need a custom domain already added and verified in Microsoft 365, plus access to both the Defender portal and your DNS host. Note that the default *.onmicrosoft.com domain has DKIM enabled automatically — custom domains do not, and email sent from them will rely on a weaker default signing configuration until you turn it on.
Enable DKIM and get your CNAME records
In the Microsoft Defender portal, go to Email & collaboration > Policies & rules > Threat policies > DKIM, then select your domain. If DKIM has never been configured, Microsoft 365 generates two CNAME selectors (selector1 and selector2) for you to publish — copy both exactly as shown before leaving the page.
Publish the records, then verify
Add both CNAME records at your DNS host precisely as provided, then return to the DKIM page and toggle it on — this fails if the records have not propagated yet, so allow a few minutes and retry rather than editing the values. Once enabled, use the MrTech email check tool to confirm DKIM passes; a failure after 24-48 hours usually means a mistyped CNAME, a mismatched selector, or a registrar-side caching delay.
Related service
This is part of our Microsoft 365 service for Melbourne businesses.
Try it now
Run the related tools
Need a hand?
Run the tools. Then talk to us.
Use our free diagnostics to see what is wrong, then get Melbourne IT support for the fix.
Keep reading
More guides

Fix SPF for Microsoft 365
Stop legitimate email bouncing or landing in spam by getting your SPF record right for Microsoft 365.
- Why SPF matters
- The Microsoft 365 include

Set up DMARC for your business
Move from none to quarantine with a policy that protects your domain from spoofing without breaking legitimate mail.
- What DMARC actually does
- Start with monitoring