Set up DKIM Records and Signing

DomainKeys creates signatures in messages sent from your organization that can be used to help prevent spoofed messages from being sent and/or received. We need a couple of pieces of information to create the correct DNS records for a client domain.

Create DNS Records:

In order to create the necessary DNS records for DKIM, we must first determine the Domain, DomainGUID, and InitialDomain that is being used.

  1. Domain: The domain used to send email (i.e.

  2. DomainGUID: Perform an MX lookup on the domain, the DomainGUID is the portion of the domain before (i.e. protectedtrust-com) unless they are using third-party antispam, otherwise we can look it up in the Office 365 admin center under Setup > Domains.

  3. InitialDomain: This is the tenant "" domain. To determine this, log in to the Office 365 admin center and go to Setup > Domains in order to find it (i.e.

Use these values to generate the two CNAME values listed below:

  1. CNAME: selector1._domainkey.Domain POINTS TO selector1-DomainGUID._domainkey.InitialDomain
    CNAME: selector2._domainkey.Domain POINTS TO selector2-DomainGUID._domainkey.InitialDomain
    For example: the first correctly formatted CNAME for would be:

  2. We can test that we're pointing to the correct address by checking DNS for the "points to" address, which should resolve a TXT record that returns something like "v=DKIM1; k=rsa; p=BIG STRING OF LETTERS; n = 1024,1461444703,1"

  3. Once the CNAME record is published, we can test that the CNAME is created correctly by checking DNS for the CNAME records, which should then point to the correct TXT record.

Enabling DKIM signing:

DKIM Signing is automatically configured in your Office 365 tenant but not enabled.  This can be enabled in the Exchange Online Console under Protection > DKIM.  Once the CNAME records are published and propagated, signing should be enabled for the domain.
Microsoft offers the following knowledge base article about DKIM signing: