Learn more about how to use DKIM with your custom domain in Office 365
Manually setting up DomainKeys Identified Mail (DKIM) in Office 365 is a two-step process:
Publish two CNAME records for your domain in DNS.
Enable DKIM signing for your domain by choosing Enable on this page in Office 365 or by using Windows PowerShell.
Do not enable DKIM signing on this page until you have completed the rest of the manual setup for DKIM. For instructions on manually setting up DKIM in Office 365, see Use DKIM to validate outbound email sent from your custom domain in Office 365.
You can also configure Office 365 to rotate between two keys for this domain by choosing Rotate.
To turn off DKIM signing for your domain, choose Disable.
How do I return to this page after I finish publishing the CNAME records?
You can return to the DKIM page in either of two ways, by using the Exchange admin center or by using the Security & Compliance center.
To get to the DKIM page in the Exchange admin center
Sign in to Office 365 with your work or school account.
Select the app launcher icon
.png "Office 365 app launcher")
in the upper-left and choose Admin.Tip
The Admin tile appears only to Office 365 administrators.
In the lower-left navigation, expand Admin and choose Exchange.
In the Exchange admin center, go to Protection > dkim.
To get to the DKIM page in the Security & Compliance Center
Sign in to Office 365 with your work or school account.
Select the app launcher icon
in the upper-left and choose Admin.Tip
The Admin tile appears only to Office 365 administrators.
In the lower-left navigation, expand Admin and choose Security & Compliance.
In the Security & Compliance Center, go to Security policies > Dkim.
What happens when you enable DKIM signing for Office 365
When you enable DKIM signing for a domain, you authorize that domain to associate, or sign, its name to an email message by using cryptographic authentication. Email systems use this digital signature to help determine if incoming email that they receive is legitimate.
When should you set up DKIM for Office 365?
If you do not set up DKIM, Office 365 sets it up for you and configures the Office 365 default policy for your domain. The default policy is sufficient for most Office 365 customers. You only need to manually set up DKIM if:
You have more than one domain in Office 365
You're going to set up DMARC too (recommended)
You want control over your private key
You want to customize your CNAME records
You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer.
Other things you can do to prevent email spoofing in Office 365
DKIM works with SPF and DMARC to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. While you can use SPF alone or SPF and DMARC without DKIM, implementing DKIM provides additional protection against spoofing and phishing email. For a quick introduction to SPF and to get it configured quickly, see Set up SPF in Office 365 to help prevent spoofing. For a more in-depth understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing. Next, see Use DMARC to validate email in Office 365.