• Outlook User
  • New Outlook app
  • Outlook.com
  • Outlook Mac
  • Outlook & iCloud
  • Developer
  • Microsoft 365 Admin
    • Common Problems
    • Microsoft 365
    • Outlook BCM
    • Utilities & Addins

Implementing DKIM and DMARC

Slipstick Systems

› Outlook › Implementing DKIM and DMARC

Last reviewed on March 22, 2025     No Comments

Applies to: Exchange Server, Office 365 Exchange

A user needed help configuring DKIM and DMARC settings in his Office 365 tenant:

I have made the switch to EXCHANGE... But, I cannot find any place in the Office 365 documentation to set up DKIM / DMARC?

The good news: if you have only one custom domain that sends mail set up in your Office 365 tenant, you don’t have to do anything if you added the DNS records for your domain, including the SPF record. (All domains that send mail, including those hosted elsewhere, should have an SPF record).

Office 365 creates a private and public key pair, enables DKIM signing, and configures the Office 365 policy for your custom domain internally and uses it if you don’t have a DKIM record in DNS.

However, you should set up DKIM records if you have more than one domain that sends mails hosted in your tenant, if you are also going to use DMARC, or if you send mail through other hosts, such as a bulk mail service.

DKIM

To set up DKIM, you need to publish two CNAME records for each domain in your tenant.
The format is simple:

CNAME: selector1._domainkey.yourdomain.com
Points to: selector1-yourdomain-com._domainkey.tenantname.onmicrosoft.com

Create a second CNAME for selector2, using the same format as above.
CNAME: selector2._domainkey.yourdomain.com 
Points to: selector2-yourdomain-com._domainkey.tenantname.onmicrosoft.com

Repeat for each domain in your tenant that sends mail. For example, I have slipstick.com and cdolive.com in my tenant and needed to create two CNAME records for each domain name.

After you create the DNS records, you need to enable DKIM in the Exchange admin or using PowerShell:

New-DkimSigningConfig -DomainName yourdomain.com -Enabled $true

Tip: if the CNAME record isn’t correct or isn’t published, when you run the cmdlet, the failure message will include the correct record to add.
use powershell to enable DKIM

If you prefer to use the Microsoft 365 admin interface, enable DKIM here: https://security.microsoft.com/dkimv2

If you prefer changing this in the admin center, log into the Exchange admin center, open the DKIM setting under Protection. Select the domain and click Enable on the right. As with the PowerShell method, if the correct CNAME are not published, an alert will give you the correct names to use.

To verify it is correct, send an email to an Outlook.com or Gmail address and check the header. (Gmail’s Show original command will display the results for SPF, DKIM, and DMARC in a simplified format at the top of the page.)

The header entry will look similar to the following samples. The first example is using the default Office 365 DKIM record:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=Cdolive.onmicrosoft.com; s=selector1-slipstick-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh={hash code}; b={signed field}

Once the custom DKIM record is created, DKIM in the header looks like this:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= slipstick-com;
s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh={hash code}; b={signed field}

DMARC

To use DMARC you will need to set up SPF and DKIM for your domain (and verify both are correct), before adding the DMARC TXT record to DNS.

Your choices for the policy are none, quarantine or reject. It’s recommended that you start with “none” so you can gauge the impact, especially if you are using third-party mailers to send mail from this domain, before moving to quarantine, or reject.

TXT:_dmarc.yourdomain.com
Value: "v=DMARC1; p=quarantine"

To check the results, send a test message to Outlook.com or Gmail address and check the header. Gmail’s Show original option displays the following information:
Message ID <{code}.namprd05.prod.outlook.com>
Created at: {date} (Delivered after 4 seconds)
From: Diane Poremsky <{me}@mydomain.com>
To: "{me}@gmail.com" <{me}@@gmail.com>
Subject: testing
SPF: PASS with IP {address}
DKIM: 'PASS' with domain mydomain.com
DMARC: 'PASS'

More Information

Use DKIM to validate outbound email sent from your custom domain in Office 365
Use DMARC to validate email in Office 365

Implementing DKIM and DMARC was last modified: March 22nd, 2025 by Diane Poremsky

Related Posts:

  • Office 365 Fraud Detection Checks
  • Exchange 2003 SP2 adds a couple of new features. One of the most talke
    Using Exchange Server's Sender ID
  • Using two (or more) custom domains with Office 365
  • Adding domains to Office 365 Small Business

About Diane Poremsky

A Microsoft Outlook Most Valuable Professional (MVP) since 1999, Diane is the author of several books, including Outlook 2013 Absolute Beginners Book. She also created video training CDs and online training classes for Microsoft Outlook. You can find her helping people online in Outlook Forums as well as in the Microsoft Answers and TechNet forums.

Subscribe
Notify of
0 Comments
newest
oldest most voted
Inline Feedbacks
View all comments

Visit Slipstick Forums.
What's New at Slipstick.com

Latest EMO: Vol. 30 Issue 19

Subscribe to Exchange Messaging Outlook






Support Services

Do you need help setting up Outlook, moving your email to a new computer, migrating or configuring Office 365, or just need some one-on-one assistance?

Our Sponsors

CompanionLink
ReliefJet
  • Popular
  • Latest
  • Week Month All
  • Jetpack plugin with Stats module needs to be enabled.
  • Open Outlook Templates using PowerShell
  • Count and List Folders in Classic Outlook
  • Google Workspace and Outlook with POP Mail
  • Import EML Files into New Outlook
  • Opening PST files in New Outlook
  • New Outlook: Show To, CC, BCC in Replies
  • Insert Word Document into Email using VBA
  • Delete Empty Folders using PowerShell
  • Warn Before Deleting a Contact
  • Classic Outlook is NOT Going Away in 2026
Ajax spinner

Recent Bugs List

Microsoft keeps a running list of issues affecting recently released updates at Fixes or workarounds for recent issues in classic Outlook (Windows).

For new Outlook for Windows: Fixes or workarounds for recent issues in new Outlook for Windows .

Outlook for Mac Recent issues: Fixes or workarounds for recent issues in Outlook for Mac

Outlook.com Recent issues: Fixes or workarounds for recent issues on Outlook.com

Office Update History

Update history for supported Office versions is at Update history for Office

Outlook Suggestions and Feedback

Outlook Feedback covers Outlook as an email client, including Outlook Android, iOS, Mac, and Windows clients, as well as the browser extension (PWA) and Outlook on the web.

Outlook (new) Feedback. Use this for feedback and suggestions for Outlook (new).

Use Outlook.com Feedback for suggestions or feedback about Outlook.com accounts.

Other Microsoft 365 applications and services




New Outlook Articles

Open Outlook Templates using PowerShell

Count and List Folders in Classic Outlook

Google Workspace and Outlook with POP Mail

Import EML Files into New Outlook

Opening PST files in New Outlook

New Outlook: Show To, CC, BCC in Replies

Insert Word Document into Email using VBA

Delete Empty Folders using PowerShell

Warn Before Deleting a Contact

Classic Outlook is NOT Going Away in 2026

Newest Code Samples

Open Outlook Templates using PowerShell

Count and List Folders in Classic Outlook

Insert Word Document into Email using VBA

Warn Before Deleting a Contact

Use PowerShell to Delete Attachments

Remove RE:, FWD:, and Other Prefixes from Subject Line

Change the Mailing Address Using PowerShell

Categorize @Mentioned Messages

Send an Email When You Open Outlook

Delete Old Calendar Events using VBA

Repair PST

Convert an OST to PST

Repair damaged PST file

Repair large PST File

Remove password from PST

Merge Two Data Files

Sync & Share Outlook Data

  • Share Calendar & Contacts
  • Synchronize two computers
  • Sync Calendar and Contacts Using Outlook.com
  • Sync Outlook & Android Devices
  • Sync Google Calendar with Outlook
  • Access Folders in Other Users Mailboxes

Diane Poremsky [Outlook MVP]

Make a donation

Mail Tools

Sending and Retrieval Tools

Mass Mail Tools

Compose Tools

Duplicate Remover Tools

Mail Tools for Outlook

Online Services

Calendar Tools

Schedule Management

Calendar Printing Tools

Calendar Reminder Tools

Calendar Dates & Data

Time and Billing Tools

Meeting Productivity Tools

Duplicate Remover Tools

Productivity

Productivity Tools

Automatic Message Processing Tools

Special Function Automatic Processing Tools

Housekeeping and Message Management

Task Tools

Project and Business Management Tools

Choosing the Folder to Save a Sent Message In

Run Rules on messages after reading

Help & Suggestions

Submit Outlook Feature Requests

Slipstick Support Services

Buy Microsoft 365 Office Software and Services

Visit Slipstick Forums.

What's New at Slipstick.com

Home | Outlook User | Exchange Administrator | Office 365 | Outlook.com | Outlook Developer
Outlook for Mac | Common Problems | Utilities & Addins | Tutorials
Outlook & iCloud Issues | Outlook Apps
EMO Archives | About Slipstick | Slipstick Forums
Submit New or Updated Outlook and Exchange Server Utilities

Send comments using our Feedback page
Copyright © 2025 Slipstick Systems. All rights reserved.
Slipstick Systems is not affiliated with Microsoft Corporation.

wpDiscuz

Sign up for Exchange Messaging Outlook

Our weekly Outlook & Exchange newsletter (bi-weekly during the summer)






Please note: If you subscribed to Exchange Messaging Outlook before August 2019, please re-subscribe.

Never see this message again.

You are going to send email to

Move Comment