What is DKIM and why is it important? Steps to set up DKIM on OFFICE 365

What is DKIM and why is it important? Steps to set up DKIM on OFFICE 365

DomainKeys Identified Mail (DKIM) is an anti-tamper protocol that ensures your mail remains secure in transit. DKIM uses digital signatures to check whether the

DomainKeys Identified Mail (DKIM) is an anti-tamper protocol that ensures your mail remains secure in transit. DKIM uses digital signatures to check whether the email was sent by the domain it claims to be from.

DKIM uses two actions to validate your messages. The first action takes place on a server sending DKIM signed emails, while the second takes place on a recipient server that checks the DKIM signatures on incoming messages. The entire process is made possible by a private and public key. The private key is kept secret and safe, either on the user’s own server or with their ESP. The public key, however, is added to the DNS records of the user’s domain to help verify email messages.

Once the receiver verifies that an email is signed with a valid DKIM signature, it is clear that the integrity of the email is preserved. Usually, end users cannot see DKIM signatures; the validation is done at the server level.

Emails signed with DKIM appear legitimate, and the recipients are assured that the email is not a spam or phishing attack. DKIM works together with DMARC and SPF to ensure email security. Listed below are some of the advantages DKIM has for brands and organisations.

Spam filtering

DKIM can help identify emails that aren't known to be spam and don't need to be filtered. Take for example a receiving system that maintains a whitelist of secure sending domains that can be kept locally or obtained from third-party certifiers. In this case, DKIM can skip the filtering of signed emails from those whitelisted domains and filter the remaining emails more aggressively.


DKIM is compatible with existing email infrastructure because it is implemented using DNS records and an extra RFC 5322 header field. It is especially apparent to existing email systems that do not support DKIM.


DKIM can be used to safeguard against phishing attacks. Mailers in phished domains can sign their messages to prove that they are authentic. Recipients can interpret the absence of a valid signature on emails from those domains as a clue that the mail is most likely forged.


The non-repudiation feature of DKIM prevents senders from denying that an email was sent by them. This feature becomes crucial for news and media organizations as they sometimes have to confirm that leaked emails are authentic and untampered with.

So, how can you set up DKIM on OFFICE 365 for your custom domain?

1. Sign in to your Admin account and select Admin on the Office365 Admin window.

2. In the Admin Center, choose ‘Exchange’.

3. Go to ‘protection > dkim’.

Pick the Domain for which you want to set up DKIM for and click on ‘Enable’.

In Office365, you will need to create two CNAME records to navigate your initial domain. If you haven't created CNAME records, you will have to create them by following the instructions below:

Open your DNS management console and add the domain you want to create the CNAME records for.

Create a CNAME record using the syntax shown below and click on ‘Save’ or ‘Publish’.

Wait for 24-48 hours for the changes to take effect.

Publishing the CNAME records for your custom domain

Let’s take the example of ‘emailauth.onmicrosoft.com’ as our initial domain, also known as the tenant domain. We actually own emailauth.com and after we provide it to Office 365, we need to publish the CNAME records so that ‘emailauth.io’ points to ‘emailauth.onmicrosoft.com’ using the format as shown.


Host: selector1._domainkey

Value: selector1-emailauth-io._domainkey.emailauth.onmicrosoft.com


Host: selector2._domainkey

Value: selector2-emailauth-io._domainkey.emailauth.onmicrosoft.com

Considering the rules, the domain GUID does not use a full stop ‘.’ but a hyphen ‘-’ instead. This is taken from the MX record of your custom domain, in this case, ‘emailauth.com’.

Enable DKIM signing for your custom domain

Open the Microsoft 365 Defender portal using your work or school account.

Go to Email & Collaboration > Policies & Rules > Threat policies page > Rules section > DKIM.

On the DKIM page, choose the domain by clicking on the name.

Change the Sign messages for this domain and change the DKIM signatures setting to ‘Enabled’.

Click on ‘Rotate DKIM keys’, and you’re done.

You can set up DKIM similarly for other hosting services as well.

Original source: https://www.reddit.com/user/emailauth-io/comments/qk8qj7/what_is_dkim_and_why_is_it_important_steps_to_set/