Microsoft recommends a DKIM record to sign your outbound emails digitally so that they don't get tampered with or accessed by threat actors in the process of being transferred. It is an essential step to ensure your email's security.

In order to set up Office 365 DKIM, you will need to complete the following steps:

1. Sign in to Office 365 using your admin account and choose Admin.

2. Once in the Admin center, expand Admin centers and choose Exchange.

3. Go to protection > dkim

4. Select the domain for which you want to enable DKIM and click on Enable. Repeat this step for each custom domain.

 If you haven't created the relevant CNAME records, you will need to do so as per the instructions below. 

Creating the Office 365 DKIM records

The Office 365 DKIM CNAME records are used to map an alias name to the true or canonical domain name. In essence, when you provision a new domain name in Office 365 you will need to create two CNAME records for it so that it points to your initial domain. Here is an example:

We will use as our initial domain, also called the tenant domain. But we actually own and after we provision it in Office 365 we need to publish the two CNAME records so that points to using the format below.

Here is how the DKIM keys should look like for this example: 


Host: selector1._domainkey



Host: selector2._domainkey


Please pay close attention to the domainGUID which does not use a full stop "." but a hyphen "-" instead. This is taken from the MX record of your custom domain, in this case,

The CNAME record value syntax will also pop up when you click on Enable DKIM from your Exchange admin center: 

The reason behind the two CNAME records is that Microsoft rotates the two keys for added security.

The 2 DKIM keys will need to be published in the Valimail Enforce platform.

Now you can simply go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.

Click on Add a DKIM key and fill in the info from the newly created M365 keys and then click Add.

Enabling Office 365 DKIM signing

Once you have added the CNAME records (two per domain) in the Valimail Enforce platform, Office 365 DKIM signing can be enabled through the Office 365 admin center