Aligned Authentication method:

SPF - Yes - TXT

DKIM - Yes 2 CNAME records

This article assume that M365 is currently sending emails as your domain but aligned DKIM signing has not yet been enabled.

If you are using M365 as your mail gateway, it is likely that Enforce has already added Microsoft Office 365 as an enabled sender. Enforce will also attempt to create the proper DKIM Public keys at the same time. 

If you need to add Microsoft 365 manually, it will still attempt to add the public DKIM keys.

Enable DKIM Signing:

To enable DKIM signing for your custom domain through the admin center
  1. Sign in to Microsoft 365 with your admin account.
  2. Select the app launcher icon in the upper-left and choose Admin.
  3. In the lower-left navigation, expand Admin and choose Exchange. Note that you may need to click on Show All at the bottom of the left navigation bar.
  4. Go to Protection > dkim.
On the DKIM page, you will see an 'Enable button as shown below

If the DKIM keys have not been properly published, you will see an error similar to the one below:

If you see this error, remove any existing selector1 and selector2 DKIM keys in Enforce and add new ones based on the error message. Note that these DKIM keys must be added as CNAME Type as shown below: