Microsoft recommends a DKIM record to sign your outbound emails digitally so that they don't get tampered with or accessed by threat actors in the process of being transferred. It is an essential step to ensure your email's security.


Microsoft Office 365 requires special configuration actions outside of Authenticate. Please follow these steps to complete configuration for Microsoft Office 365, and then return to your automation-guided task list in Authenticate.



This article contains the following guidelines:



Step 1: Authorizing M365 in Authenticate

Step 2: Enable DKIM on your domain in the M365 platform

Step 3: Creating the Office 365 DKIM records

Step 4: Publishing the M365 DKIM keys in Authenticate

Step 5: Enabling Office 365 DKIM signing




Step 1: Authorizing M365 in Authenticate:


1. Make sure you have added Microsoft Office 365 as an 'Approved Sender' in Authenticate for the domain you are configuring it for.


Note: If Microsoft Office 365 has not been approved, please do so now by following the steps below.


  1. From the Senders section, click on '+ ADD SENDER FOR [your domain]'. 
  2. Choose 'Microsoft Office 365' from the Service Name drop-down, and click 'ADD'. 


2. Enable DKIM signing for your custom domain. The next steps outlined below, will help you Enable DKIM on your domain in the M365 platform.



Step 2: Enable DKIM on your domain in the M365 platform:


1. Sign in to Office 365 using your admin account and choose Admin.




2. Once in the Admin center, expand Admin centers and choose Exchange.




3. Go to protection > dkim




4. Select the domain for which you want to enable DKIM and click on Enable. Repeat this step for each custom domain.




If you haven't created the relevant CNAME records, you will need to do so as per the instructions below. 



Step 3: Creating the Office 365 DKIM records



The Office 365 DKIM CNAME records are used to map an alias name to the true or canonical domain name. In essence, when you provision a new domain name in Office 365 you will need to create two CNAME records for it so that it points to your initial domain. Here is an example:


We will use example.onmicrosoft.com as our initial domain, also called the tenant domain. But we actually own example.com and after we provision it in Office 365 we need to publish the two CNAME records so that example.com points to example.onmicrosoft.com using the format below.


Here is how the DKIM keys should look like for this example: 



Type: CNAME

Host: selector1._domainkey

Value: selector1-example-com._domainkey.example.onmicrosoft.com


Type: CNAME

Host: selector2._domainkey

Value: selector2-example-com._domainkey.example.onmicrosoft.com



Please pay close attention to the domainGUID which does not use a full stop "." but a hyphen "-" instead. This is taken from the MX record of your custom domain, in this case, example.com


The CNAME record value syntax will also pop up when you click on Enable DKIM from your Exchange admin center: 




Note: If the DKIM keys have not been properly published, you will see an error similar to the one above.


If you see this error when enabling the DKIM in Microsoft Office 365, remove any existing selector1 and selector2 DKIM keys in Authenticate and add new ones based on the error message as described in the following Step 4: Publishing the M365 DKIM keys in Authenticate




Step 4: Publishing the M365 DKIM keys in Authenticate:



1. Publish the 2 DKIM keys in Authenticate. Note that these DKIM keys must be added as CNAME Type as shown below:




Here's a detailed guide on how to publish and manage DKIM keys in Authenticate: DKIM Key Management in Authenticate




Step 5: Enabling Office 365 DKIM signing


Once you have added the CNAME records (two per domain) in the Authenticate platform, Office 365 DKIM signing can be enabled through the Office 365 admin center.