How to Setup DKIM in Office 365 in Quick 5 Steps

You added your domain to Office 365.
‍
Everything looked good… until DKIM showed up.

No clear button.
‍
Just DNS records and vague instructions.
‍
Now you’re stuck, wondering: “Am I doing this right?”

This guide fixes that.

I’ll walk you through how to set up DKIM in Office 365 — in 5 simple steps.
‍
No jargon. No guesswork. No IT degree needed.

Here’s what you’ll get:

• What DKIM actually does (and why you need it)
  
  
• What to prep before setup
  
  
• Step-by-step instructions using the Microsoft 365 Defender portal
  
  
• How to add the right CNAMEs to your domain
  
  
• And how to test if it’s working (the right way)
  
  

Let’s make sure your emails hit inboxes, not spam.
‍
Ready? Let’s go.

‍

TL;DR – Quick Summary

DKIM adds a digital signature to your emails to prove they came from your domain.

It’s not enabled by default in Office 365 — you need to set it up manually.

To set up DKIM in Office 365, follow 5 steps:

1. Sign in to Microsoft 365 Defender
   
   
2. Go to DKIM settings
   
   
3. Add two CNAME records to your DNS
   
   
4. Click “Enable.”
   
   
5. Test using free tools
   
   

Use tools like Salesforge DKIM Checker, MXToolbox, or Google CheckMX to confirm it’s working.

To skip manual setup, Primeforge can do it for you.

‍

What Is DKIM in Office 365 and Why Does It Matter

Here’s the easiest way to understand it:

DKIM is like a digital signature for your emails.
‍
It helps inboxes (like Gmail or Outlook) confirm that the email really came from you, and that it wasn’t changed or faked along the way.

When you use Office 365 to send emails, this signature isn’t turned on by default.
‍
You have to set it up manually.

Once you set up DKIM in Office 365, Microsoft adds this signature to every email you send from your domain automatically.

Why does it matter?

Because without DKIM:

• Your emails might look suspicious
  
  
• Inbox providers may not trust them
  
  
• And it’s easier for someone to fake emails using your domain
  
  

When you enable DKIM:

• Your domain looks more trustworthy
  
  
• Your emails are more likely to land in inboxes
  
  
• You’re better protected against spoofing and phishing attacks
  
  

It also works together with other email security settings like SPF and DMARC — all of which help you send safe, authenticated emails.

Bottom line?
‍
Setting up DKIM in Office 365 makes your email more secure, more reliable, and more professional.

And the best part — it only takes a few steps to turn it on.

Let’s get started.

‍

Step-by-Step Guide to Set Up DKIM in Office 365

Here’s how to set up DKIM in Office 365 in 5 quick and simple steps. You don’t need to be technical.

‍

Let’s dive into detailed steps 

✅ Step 1: Sign in to the Microsoft 365 Defender Portal

To get started, go to the Microsoft 365 Defender portal:

🔗 https://security.microsoft.com

• Use your global admin account to log in.
  
  
• Once inside, navigate to this path:
  ‍
  Email & Collaboration → Policies & Rules → Threat Policies
  

This is where Office 365 keeps all its email security settings, including DKIM.

‍

✅ Step 2: Open DKIM Settings

Now let’s find the DKIM setup screen.

• From the left menu, look for Email Authentication Settings
  
  
• Click on DKIM
  
  
• You’ll now see a list of domains added to your Office 365 account.

Choose the domain you want to enable DKIM for. If you have more than one domain, you’ll need to set up DKIM for each separately.

‍

✅ Step 3: Add CNAME Records to Your Domain’s DNS

This is the key step.

Office 365 will show you two CNAME records. These records allow Microsoft to sign your emails on your behalf.

You need to copy those records and paste them into your domain’s DNS settings.

This usually means logging into your domain provider (like GoDaddy, Namecheap, Cloudflare, etc.).

Here’s what the format typically looks like:

📌 Tip: Be sure to copy everything exactly, no extra spaces or missing dots.

Once you’ve added the CNAME records, save the changes.
‍
DNS updates can take a few minutes, but sometimes up to 24 hours.

‍

✅ Step 4: Enable DKIM for Your Domain

After the DNS records are live, go back to the Microsoft 365 Defender portal.

• Go to the DKIM settings
  
  
• Select your domain again
  
  
• Click “Enable.”
  
  

Office 365 will now start digitally signing all outgoing emails from that domain using DKIM.

This step completes the DKIM setup in Office 365, and from now on, your emails will include a valid DKIM signature.

‍

✅ Step 5: Confirm and Test DKIM Setup

Once enabled, it’s a good idea to make sure everything’s working.

Use any of these free tools to check your DKIM:

• Salesforge free DKIM checker
  ‍
• MXToolbox DKIM Lookup
  ‍
• Google Admin Toolbox - CheckMX
  
  

Just send an email from your Office 365 domain, enter the domain name in the tool, and check the result.

You should see:

• ✅ DKIM record found
  
  
• ✅ Signature valid
  
  
• ✅ Status: pass
  
  

Once confirmed, you're done. DKIM is now active, and your domain is properly authenticated.

‍

How to Check if DKIM is Working in Office 365

‍

After you setup DKIM in Office 365, it’s a good idea to test if it’s actually working.

Here’s how you can confirm everything’s set up correctly.

‍

Step 1: Send a Test Email

• Use your Office 365 email address (the one connected to the domain where you enabled DKIM)
  
  
• Send a test email to a Gmail account you have access to
  
  

Step 2: Check the Email Header in Gmail

1. Open the test email in Gmail
   
   
2. Click the three dots (⋮) next to the reply button
   
   
3. Select “Show original.”
   
   

This opens the raw email header. Look for a line that says:

DKIM=pass

If you see this, it means your domain is now signing emails correctly with DKIM.

‍

Step 3: Use DKIM Checker Tools

If you don’t want to check email headers manually, you can use free online tools to test your DKIM setup.

Here are a few reliable options:

‍

1. Salesforge DKIM Checker (Best for beginners)

Salesforge DKIM checker is a free tool by Salesforge that checks whether your DKIM, SPF, and DMARC records are set up correctly — all in one place.

How to use it:

1. Go to the website
   
   
2. Enter your domain name (e.g., yourcompany.com)
   
   
3. Click "Check."
   
   
4. Wait a few seconds — you’ll see a simple report showing if DKIM is valid
   
   

What it shows:

• ✅ DKIM record found
  
  
• ✅ DKIM signature status
  
  
• ⚠️ Any issues with SPF or DMARC (bonus check)
  
  

Why it’s great:
‍
It’s fast, easy, and you don’t need to touch email headers or know your DKIM selector.

‍

2. MXToolbox DKIM Lookup (For more detailed DNS checking)

MXToolbox DKIM lookup helps you to check your domain’s DKIM records to see if they exist and are formatted correctly.

How to use it:

1. Go to the DKIM Lookup page
   
   
2. In the first field, type your DKIM selector (usually: selector1)
   
   
3. In the second field, type your domain name
   
   
   Example: selector1._domainkey.yourcompany.com
   
   
   
4. Click "DKIM Lookup."
   
   

What it shows:

• Full DKIM DNS record
  
  
• TTL (Time to Live)
  
  
• Status of record (pass/fail)
  
  
• Any syntax errors
  
  

Why it’s great:
‍
You can confirm if your CNAME records were added correctly after completing the Office 365 DKIM setup.

‍

3. Google Admin Toolbox – CheckMX (All-in-one domain check)

Google Admin Toolbox- Check MX is Google’s own tool to check whether your domain has proper email authentication configured, including DKIM, SPF, and DMARC.

How to use it:

1. Visit the CheckMX page
   
   
2. Enter your domain name
   
   
3. Press Enter or click the search icon
   
   
4. Review the results — you’ll see if DKIM is active
   
   

What it shows:

• Pass/fail results for DKIM, SPF, and DMARC
  
  
• Missing records
  
  
• Suggestions if anything is wrong
  
  

Why it’s great:
‍
If you send emails to Gmail users, this tool tells you if Google trusts your domain setup.

‍

Common Issues During DKIM Setup (and How to Fix Them)

✅ DKIM Setup Best Practices for Office 365

Setting up DKIM in Office 365 is a one-time task, but doing it right the first time makes all the difference. Here are some best practices to follow:

‍

🔹 1. Use Only One DKIM Record per Domain

Avoid adding multiple conflicting records. Stick with the default selectors provided by Microsoft: selector1 and selector2.

‍

🔹 2. Double-Check DNS Record Format

Even a small typo in your CNAME record can break the setup. Make sure:

• No extra spaces
  
  
• The record ends with a dot if required by your DNS host
  
  
• You’re copying the full hostname exactly
  
  

🔹 3. Wait for DNS to Fully Propagate

DNS changes don’t show up instantly. Give it at least 15 minutes to 24 hours before testing. If tools still can’t find your DKIM, wait a bit longer and test again.

‍

🔹 4. Verify with a Trusted DKIM Checker

Use tools like:

• Salesforge DKIM Checker for a quick pass/fail result
  
  
• MXToolbox for deeper insight
  
  
• Google CheckMX if you send emails to Gmail users
  
  

These tools help catch any setup issues early.

‍

🔹 5. Set Up SPF and DMARC Alongside DKIM

DKIM works best when combined with SPF and DMARC. Together, they create a strong email authentication framework and improve deliverability.

‍

🔹 6. Enable DKIM for Every Custom Domain

If you're sending from multiple domains in Office 365, you’ll need to setup DKIM separately for each one. Don’t assume one setup covers them all.

‍

🔹 7. Recheck After DNS or Domain Changes

If you move your domain to a new DNS provider or make changes to Office 365, it’s a good idea to recheck that your DKIM setup is still working.

These small checks make sure your DKIM Office 365 setup process is solid, and saves you from future email delivery headaches.

‍

🚀 Want to Skip the Manual Setup and Avoid Mistakes? Try PrimeForge

Setting up DKIM in Office 365 is simple once you know the steps, but if you’re managing multiple domains, handling DNS changes, or just don’t want to risk errors, tools like PrimeForge can save you a lot of time.

PrimeForge helps you:

• Automatically add and verify DKIM, SPF, and DMARC records
  
  
• Manage domain authentication in one place
  
  
• Avoid misconfigurations that hurt deliverability
  
  
• Set everything up without needing to log into DNS panels
  
  

Whether you’re a solo founder or managing outreach at scale, PrimeForge helps keep your domain secure and email-ready, fast.

👉 If you want to make your DKIM setup easier and faster, check out PrimeForge.

‍

Final Thoughts

Setting up DKIM in Office 365 isn’t as complicated as it sounds.

You just:

• Log in to Microsoft 365
  
  
• Add two CNAME records
  
  
• Enable DKIM
  
  
• And test it with a free tool
  
  

That’s it. Once it’s done, Office 365 takes care of the rest, signing your emails behind the scenes.

If you're managing multiple domains or just don’t want to mess with DNS every time, PrimeForge can help automate the setup.

It handles DKIM, SPF, and DMARC without the back-and-forth.

‍

FAQs About DKIM Setup in Office 365

Q1. Is DKIM enabled by default in Office 365?
‍
No, it’s not. You need to manually set it up for each domain connected to your Microsoft 365 account.

‍

Q2. How long does it take for DKIM to work after setup?
‍
It usually works within 15 minutes to a few hours.

Sometimes DNS changes can take up to 24 hours to fully update.

‍

Q3. Do I need both DKIM and SPF?
‍
Yes. DKIM and SPF work together to prove your emails are real.

It’s best to have both (plus DMARC) set up for full email protection.

‍

Q4. What if the DKIM "Enable" button isn’t clickable?
‍
That means Office 365 hasn’t detected your DNS records yet. Double-check the CNAME entries and give it a bit more time.

Tools like Salesforge DKIM Checker can help confirm if your records are live.

‍

Q5. Can I use a tool to handle DKIM setup automatically?
‍
Yes. If you don’t want to set up records manually or you're managing multiple domains, a tool like PrimeForge can handle DKIM, SPF, and DMARC setup for you — all in one place.

‍

Q6. Do I have to repeat the setup for every domain in Office 365?
‍
Yes. DKIM must be set up separately for each custom domain you use.