Office 365 DKIM setup: publish the two Microsoft CNAME records

Office 365, now Microsoft 365, can sign outbound mail with DKIM for your custom domain. You need to publish two CNAME records and enable signing in Microsoft Defender.

This narrow guide focuses on DKIM. For the full SPF, DKIM, and DMARC sequence, see our Microsoft 365 DMARC setup guide.

Microsoft’s DKIM documentation says every custom domain uses two selectors. The hostnames are always:

selector1._domainkey
selector2._domainkey

The target values are account-specific. Do not copy someone else’s target values.

Before you start

You need:

• Microsoft 365 admin access.
• DNS access for your sending domain.
• A custom domain already added to Microsoft 365.
• Access to Microsoft Defender or Exchange Online PowerShell.

If your users send as [email protected], configure DKIM for example.com. If a subdomain sends mail, configure that subdomain separately.

Step 1: get the correct CNAME targets

Use the Microsoft Defender portal or Exchange Online PowerShell to get the exact CNAME values.

In PowerShell, connect to Exchange Online and run:

Get-DkimSigningConfig -Identity example.com | Format-List Name,Enabled,Status,Selector1CNAME,Selector2CNAME

Microsoft introduced an updated DKIM CNAME format for new custom domains in May 2025. That means older examples like selector1-example-com._domainkey.example.onmicrosoft.com are not always correct for new tenants.

Use the values Microsoft shows for your domain.

Step 2: publish the two CNAME records

At your DNS provider, create both CNAME records:

Type	Host	Points to
CNAME	selector1._domainkey	The Selector1CNAME value from Microsoft
CNAME	selector2._domainkey	The Selector2CNAME value from Microsoft

If your DNS provider automatically appends the domain, enter only selector1._domainkey and selector2._domainkey. If it expects full hostnames, enter selector1._domainkey.example.com and selector2._domainkey.example.com.

Step 3: enable DKIM signing

Go to security.microsoft.com and open Email authentication settings > DKIM.

Select your custom domain, then enable signing for that domain. Microsoft starts custom-domain DKIM only after it detects the CNAME records in DNS.

If the enable action fails, wait for DNS propagation and confirm the records with dig or your DNS provider’s lookup tool.

Step 4: verify real mail

Send a test message from a Microsoft 365 mailbox to an external Gmail or Outlook address.

Inspect the authentication results. DKIM should pass and the DKIM d= domain should be your custom domain, not only the onmicrosoft.com domain.

Then use DMARCTrust’s domain checker to confirm your domain has SPF and DMARC records too.

Common mistakes

Copying old CNAME examples. Microsoft has old and new DKIM target formats. Use the Defender portal or PowerShell output for your exact domain.

Publishing only one selector. Microsoft uses two selectors for key rotation. Publish both.

Stopping after DNS. You still need to enable DKIM signing in Microsoft.

Assuming DKIM fixes every sender. Microsoft 365 DKIM covers mail sent through Microsoft. It does not authenticate Mailchimp, Salesforce, Zendesk, SendGrid, or other services.

DMARC next steps

DKIM is a prerequisite for reliable DMARC enforcement, but it is not the policy layer.

After SPF and DKIM are working, publish a DMARC record:

v=DMARC1; p=none; rua=mailto:[email protected];

Start with p=none, collect reports in DMARCTrust, fix third-party senders, then follow a staged move to p=quarantine and p=reject.

FAQ

What are the Office 365 DKIM records?

They are two CNAME records at selector1._domainkey and selector2._domainkey. The target values are specific to your Microsoft 365 tenant and domain.

Can I use the old onmicrosoft.com CNAME format?

Only if Microsoft shows that format for your domain. Newer domains may use the updated dkim.mail.microsoft format.

How do I know Office 365 DKIM is working?

Send an external test message and inspect the headers. DKIM should pass with your domain in the d= tag.