Microsoft Defender for Office 365 – Configure DKIM email authentication for Microsoft 365 Custom domains

DomainKeys Identified Mail (DKIM) allows email senders to sign their outgoing emails digitally using cryptographic signatures. These signatures are stored as DKIM records in the domain’s DNS settings. Recipients’ mail servers can then use these signatures to verify that the email content has not been tampered with and originated from an authorized sender.

Configure and verify DKIM settings

1.Login to the Microsoft 365 portal and select Admin.

2.On the Microsoft 365 admin center, expand Settings and select Domains.

3.Click the custom domain on the Domains page.

4.Select DNS records on the custom domain page.

5. Two CNAME records must be added to external DNS records as the DNS records page.

Hostname: selector1._domainkey

Points to address or value: selector1-<CustomDomain>._domainkey.<InitialDomain>

Hostname: selector2._domainkey

Points to address or value: selector2-<CustomDomain>._domainkey.<InitialDomain>

6.Ensure Both of them Status are OK

6.Open Https://security.microsoft.com

7.Expand Email & collaboration on the Microsoft Defender page and select Policies & rules.

8.Select Threat policies on the Policies & rules.

9.Select Email authentication settings on the Threat policies.

10.Select DKIM on the Email authentication settings.

11.Click the custom domain on the DomainKeys Identified Mail (DKIM) and click Create DKIM keys.

12.If you didn’t create those two CNAMEs, Copy Publish CNAMEs and create them at the external DNS records.

13.Enable the Sign messages for this domain with DKIM signatures. It may take several minutes to synchronize the status change. Click OK and click Close.

Verify DKIM

1.Open https://mxtoolbox.com/.

2.On the MX Lookup page, select type your domain name and click MX Lookup.

You may the DMARC error, it’s because we still not configured DMARC yet.

3.Select DKIM Lookup from the MX lookup drop-down list.

4.Type selector1-<CustomDomain>._domainkey.<InitialDomain> (e.g. selector1-gooddealmart-ca._domainkey.angussun.onmicrosoft.com). Click DKIM Lookup and ensure all DKIM tests are pass.

5.Type selector2-<CustomDomain>._domainkey.<InitialDomain> (e.g. selector2-gooddealmart-ca._domainkey.angussun.onmicrosoft.com). Click DKIM Lookup and you noticed the selector-2 test failed.

6.Go back to DKIM settings of https://security.microsoft.com, click the Rotate DKIM keys.

7.Go back to https://mxtoolbox.com/. Test the DKIM Lookup for selector2 again and ensure all tests are pass.

I hope you enjoy this post.

Cary Sun

X: @SifuSun

Web Site: carysun.com

Blog Site: checkyourlogs.net

Blog Site: gooddealmart.com

Amazon Author: Amazon.com/author/carysun

About Post Author

Cary Sun

Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.

Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun

See author's posts