(Without Breaking Your Email)
You don’t notice DKIM until it’s missing. Then replies vanish. Gmail gets twitchy. Microsoft shrugs. This is one of those setups that should be boring. But in the wild, it’s often half-done, misaligned, or quietly switched off.
Let’s fix that.
This guide walks through setting up DKIM in Microsoft 365, explains what’s actually happening under the hood, and flags the traps we see recruiters fall into all the time.
Before you start: what “good” looks like
At the end of this, you want:
- DKIM enabled in Microsoft 365
- Two DKIM CNAME records published in DNS
- DKIM passing on a real inbox test
- Alignment ready for DMARC (now or later)
If any of those are missing, deliverability stays fragile.
Step 1: Check whether DKIM is already enabled
Microsoft doesn’t enable DKIM automatically for every domain automatically. You’ll need to be logged in with an admin account to fix it.
- Go to Microsoft Defender → Email & collaboration → Policies & rules → Threat policies → DKIM
(or click here: https://security.microsoft.com/dkimv2) - Look at the status of domain
If it says Disabled, you’ve found part of the problem.
Reality check: We see agencies with SPF, DMARC, and “good infrastructure” but DKIM still switched off!
Step 2: Generate DKIM records in Microsoft 365
- Slide to the toggle to “Enable”. You will see a popup window telling you to add two CNAME records
- At the bottom of that window, click COPY
- I find it best to then paste this text into Word or Notepad
Step 3: Publish the DKIM records in DNS
Where you do this depends on your DNS host (Cloudflare, GoDaddy, 123-reg, etc.).
You’ll add two CNAME records exactly as Microsoft provides them, copying and pasting from Word or Notepad
What good looks like:
- Record type: CNAME
- Hostname: selector1._domainkey
- Target: selector1-yourdomain-onmicrosoft-com
- TTL: default setting is fine
Repeat for selector2.
Watch-outs:
- ❌ Make sure they are CNAME records, not TXT records
- ❌ Make sure you copy and paste. Typos ruin selector names
- ❌ Publishing to the wrong DNS zone (common with subdomains)
Step 4: Enable DKIM (yes, this is a separate step)
Once DNS is live:
- Go back to the DKIM page in Microsoft 365
- Refresh the domain
- Toggle Enable
- If it doesn’t work right away or gives you and error, give it 10 minutes and try again. Rinse and repeat until it’s successful!
Step 5: Test with a real inbox
Option 1: Send a real email to something like your Gmail or Hotmail account. Check the message headers.You’re looking for:
dkim=pass
Option 2: Go to mail-test mail-tester.com and follow the instructions. The results will tell you if DKIM is on or off.
Common DKIM traps we see in recruitment
1. “Microsoft handles this for us.”
Only if you enable it. And only per domain.
2. Subdomains forgotten
jobs.yourdomain.co.uk needs its own DKIM setup.
3. DKIM passes, DMARC still fails
Because alignment matters. The From domain must match the DKIM signing domain.
4. Assuming DKIM fixes bad behaviour
It doesn’t. It just proves the message is really yours.
How DKIM fits with SPF and DMARC (plain English)
- SPF: “Is this server allowed to send?”
- DKIM: “Was this message altered?”
- DMARC: “What should we do if either fails?”
DKIM gives DMARC something solid to trust. Without it, DMARC enforcement is risky.
Quick FAQ
Does Microsoft 365 rotate DKIM keys?
Yes. That’s why there are two selectors.
Do I need DKIM if I only send internal mail?
If anything goes external (candidates, clients, CVs), yes.
Will enabling DKIM break delivery?
No, unless DNS is misconfigured. Test before big sends.
Is DKIM enough on its own?
No. It’s table stakes. Beyond SPF, DKIM and DMARC, behaviour still matters.
Next sensible step
If you want a quick sanity check:
- Are all sending domains signed?
- Is alignment clean?
- Is DMARC ready to enforce?
That’s a 20–30 minute review. No drama. Book me here.
