Office 365Tips

DKIM Signing on 365

To get started the first thing I needed to do was create two CNAMEs in the DNS zone for shaun.net. This provides two DKIM key selectors – which allows for automatic key rotations.

The records that I needed to create were:

The “shaun-net” is the domain GUID and can be retrieved from the MX record for your domain. Mine for example looks like:

I use AWS Route53 to host my DNS, so adding the records was as follows:


The second step was to enable DKIM signing on my domain. This isn’t yet available in the Office365 console but can be done using Powershell with Exchange Online.

The command I executed was:

The output was as follows:

Once this was done I went to the Exchange Admin Center under Protection → DKIM. Here you can see that it has been enabled successfully.


With this in place I sent a message to my Gmail account and checked the headers for successful DKIM validation. Here it is!

DKIM Outbound is still showing as rolling out on the Office 365 Roadmap so if this doesn’t work for you, your account may not have been activated to use this feature yet. Nonetheless it’s a very welcome feature and I’m pleased to see it was relatively easy to setup.