April 15, 2024
030324 0518 MicrosoftDe16 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains
DomainKeys Identified Mail (DKIM) allows email senders to sign their outgoing emails digitally using cryptographic signatures. These signatures are stored as DKIM records in the domain's DNS settings. Recipients' mail servers can then use these signatures to verify that the email content has not been tampered with and originated from an authorized sender.

DomainKeys Identified Mail (DKIM) allows email senders to sign their outgoing emails digitally using cryptographic signatures. These signatures are stored as DKIM records in the domain’s DNS settings. Recipients’ mail servers can then use these signatures to verify that the email content has not been tampered with and originated from an authorized sender.

Configure and verify DKIM settings

1.Login to the Microsoft 365 portal and select Admin.

2.On the Microsoft 365 admin center, expand Settings and select Domains.

3.Click the custom domain on the Domains page.

030324 0518 MicrosoftDe1 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

4.Select DNS records on the custom domain page.

030324 0518 MicrosoftDe2 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

5. Two CNAME records must be added to external DNS records as the DNS records page.

Hostname: selector1._domainkey

Points to address or value: selector1-<CustomDomain>._domainkey.<InitialDomain>

Hostname: selector2._domainkey

Points to address or value: selector2-<CustomDomain>._domainkey.<InitialDomain>

6.Ensure Both of them Status are OK

030324 0518 MicrosoftDe3 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

6.Open Https://security.microsoft.com

7.Expand Email & collaboration on the Microsoft Defender page and select Policies & rules.

030324 0518 MicrosoftDe4 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

8.Select Threat policies on the Policies & rules.

030324 0518 MicrosoftDe5 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

9.Select Email authentication settings on the Threat policies.

030324 0518 MicrosoftDe6 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

10.Select DKIM on the Email authentication settings.

030324 0518 MicrosoftDe7 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

11.Click the custom domain on the DomainKeys Identified Mail (DKIM) and click Create DKIM keys.

030324 0518 MicrosoftDe8 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

12.If you didn’t create those two CNAMEs, Copy Publish CNAMEs and create them at the external DNS records.

030324 0518 MicrosoftDe9 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

13.Enable the Sign messages for this domain with DKIM signatures. It may take several minutes to synchronize the status change. Click OK and click Close.

030324 0518 MicrosoftDe10 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

Verify DKIM

1.Open https://mxtoolbox.com/.

2.On the MX Lookup page, select type your domain name and click MX Lookup.

030324 0518 MicrosoftDe11 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

You may the DMARC error, it’s because we still not configured DMARC yet.

3.Select DKIM Lookup from the MX lookup drop-down list.

030324 0518 MicrosoftDe12 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

4.Type selector1-<CustomDomain>._domainkey.<InitialDomain> (e.g. selector1-gooddealmart-ca._domainkey.angussun.onmicrosoft.com). Click DKIM Lookup and ensure all DKIM tests are pass.

030324 0518 MicrosoftDe13 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

5.Type selector2-<CustomDomain>._domainkey.<InitialDomain> (e.g. selector2-gooddealmart-ca._domainkey.angussun.onmicrosoft.com). Click DKIM Lookup and you noticed the selector-2 test failed.

030324 0518 MicrosoftDe14 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

6.Go back to DKIM settings of https://security.microsoft.com, click the Rotate DKIM keys.

030324 0518 MicrosoftDe15 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

7.Go back to https://mxtoolbox.com/. Test the DKIM Lookup for selector2 again and ensure all tests are pass.

030324 0518 MicrosoftDe16 - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

I hope you enjoy this post.

Cary Sun

X: @SifuSun

Web Site: carysun.com

Blog Site: checkyourlogs.net

Blog Site: gooddealmart.com

Amazon Author: Amazon.com/author/carysun

ca16fbd3199de5f66b829b87082fb970?s=80&d=retro&r=g - Microsoft Defender for Office 365 - Configure DKIM email authentication for Microsoft 365 Custom domains

Author: Cary Sun

Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.

Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun