Manually hooking up DKIM signing in Office 365


Note: This content also appears on our official documentation here, Use DKIM to validate outbound email sent from your domain in Office 365.

Here’s how to enable DKIM signing for your domain if it is hosted in Office 365 (Exchange Online Protection).
What steps do I have to take to enable DKIM?

First, for each domain that needs to DKIM sign, you will need to publish two CNAMEs in DNS (not TXT records):

Host name:                  selector1._domainkey
Points to address or value: selector1-<domainGUID>._domainkey.<inititalDomain>
TTL:                        3600 

Host name:                  selector2._domainkey
Points to address or value: selector2-<domainGUID>._domainkey.<inititalDomain>
TTL:                        3600 


The <domainGUID> is the same as the <domainGUID> in the customized MX record for yourdomain that appears before
mail.protection.outlook.com. For example, for a domain contoso.com:  

contoso.com.    3600  IN  MX   5 contoso-com.mail.protection.outlook.com.

The <domainGUID> is contoso-com.

The <initialDomain> is the same one that you signed up with for Office 365. For example, contoso.com may have signed up with contoso.onmicrosoft.com. Therefore, the two CNAMEs that contoso.com would publish are the following:

Host name:                  selector1._domainkey
Points to address or value: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
TTL:                        3600

Host name:                  selector2._domainkey
Points to address or value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com
TTL:                        3600

In the above, the host name does not contain the full FQDN of the domain you are provisioning. You could explicitly include the full thing, that is, instead of Host name selector1._domainkey, you could put selector1._domainkey.<domain>.

For each other domain you have provisioned with Exchange Online, you will need to enable DKIM signing for it. 

For example, if your initial domain is contoso.onmicrosoft.com and you have provisioned contoso.com and fabrikam.com, you will need to provision 4 CNAMEs (two for each domain). The two CNAMEs are so that we can perform automatic DKIM key rotation for you.You need to do this for each domain that you use to send email. DKIM signing does not inherit DKIM settings for other domains that you have provisioned for your organization. For a company trying to DKIM-sign contoso.com and fabrikam.com, you’d have four additional DNS records that look like this:

selector1._domainkey.contoso.com IN CNAME selector1-contoso-com._domainkey.contoso.onmicrosoft.com
selector2._domainkey.contoso.com IN CNAME selector2-contoso-com._domainkey.contoso.onmicrosoft.com

selector1._domainkey.fabrikam.com IN CNAME selector1-fabrikam-com._domainkey.contoso.onmicrosoft.com
selector2._domainkey.fabrikam.com IN CNAME selector2-fabrikam-com._domainkey.contoso.onmicrosoft.com
 

Do not set up TXT records; if you set up TXT records and not CNAME records you have done it incorrectly!

Second, you need to enable DKIM-signing for the domain within the service. You can do this in the UX by going to protection > dkim and clicking Enable for each domain you own:

image

Alternatively, if you use Powershell, connect to Exchange Online using Powershell and then run the following cmdlet:

New-DkimSigningConfig –DomainName <domain> –Enabled $true

Or, let us know when done and we will enable on the backend, you can request this by opening up a support ticket telling us which domains you want DKIM-signing for. We will then create the 1024-bit DKIM public keys and the associated private keys which we store internally.

How do I know it worked?

In either case above, when done, a DKIM-signed message will look like the following:

From: Example User <example@contoso.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
s=selector1; d=contoso.com; t=1429912795;
    h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
    bh=<body hash>;
    b=<signed field>;

Or like this:

From: Example User <example@contoso.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    s=selector2; d=contoso.com; t=1429912795;
    h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
    bh=<body hash>;
    b=<signed field>;

The DKIM-signed messages will align with DMARC (the d= domain will align with the 5322.From domain). This is even true for SMTP bounces where the MAIL FROM is <>.

To test it out, wait a few minutes for the newly enabled DKIM domains to replicate throughout the network, then send a message to another account such as your Outlook.com/Hotmail account, Yahoo account, Gmail account, or other account that you have access to. Open up the message and look at the message headers, looking for the Authentication-Results header. Each service stamps it a little differently, but it will say dkim=pass or dkim=ok or something similar.

If you send to an aol.com account, it may not work because AOL may skip the DKIM-check if the SPF-check passes and aligns with the domain in the From: address.

To test whether or not your DNS records or DKIM settings are properly configured, you can use this Powershell script to help you verify your DKIM config.

Can I set the DKIM key size?

You don’t need to set the size of the DKIM keys,

 

Do I have to rotate the keys?

No, you don’t need to rotate the keys because we do that for you. Once you set it, you can forget it.
How do I add another domain for DKIM signing?

To DKIM sign another domain, you must go through the above steps for each of the domains you want to DKIM sign unless you want to have them signed with the default DKIM signature for your organization (see below on Disabling DKIM).

 

How do I troubleshoot delivery problems with DKIM?

There are some email receivers on the Internet that reject email due to a broken DKIM signature. A DKIM signature can break for multiple reasons:

a) If you have another mail server positioned after Office 365 that relays out to the Internet, it may modify the message content and cause the DKIM signature not to verify. If this occurs, you should ensure that Office 365 is the last service to relay out to the Internet, otherwise you may get some email bounces due to a broken DKIM signature.

b) Some messages get forwarded and modified in transit at the receiver side.

In cases like this, messages with failed DKIM signatures are not supposed to be bounced by the receiver, as per RFC 6376, section 6.1 and 6.2. If you continue to receive bounces, you should contact the recipient and inform them that rejecting on failed DKIM signatures is against the RFC because messages can be modified in transit, it is not malicious. In addition, you can ask them to locally allow your messages that are failing DKIM.
How do I disable DKIM signing?

To disable the DKIM signing policy, you need to use the following Powershell commands:

$p=Get-DkimSigningConfig –identity <domain>

$p[0] | set-DkimSigningConfig –enabled $false

OR

Set-DkimSigningConfig –identity $p[0].identity –enabled $false

Use $p[X] where X is the index of the policy.

However, this doesn’t disable DKIM signing completely. Even if you don’t enable DKIM, Office 365 will still (eventually) enable DKIM signing for your domain using the default signing configuration. Suppose that fabrikam.com was enabled by Office 365, not by the admin of the domain (so the required CNAMEs do not exist in DNS). DKIM signatures will look like the following:

From: Second Example <second.example@fabrikam.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
s=selector1-fabrikam-com; d=contoso.onmicrosoft.com; t=1429912795;
h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=<body hash>;
b=<signed field>;

In the example above, the selector and d= domain contain the values where the CNAME would point to had DKIM-signing for fabrikam.com been enabled by the customer. Eventually, every single message out of Office 365 will be DKIM-signed. If you enable DKIM yourself, the d= domain will align with the domain in the From: address; if not, it will not align and instead will have your organization’s initial domain.

* * * * * * * * * * * * * * *

And that’s it. As I say at the top of this post, this is only a short term solution and eventually it will all be self serve (that is, asking us to enable it for you will no longer be required, you still need to set up the CNAMEs).

Happy DKIM signing!

Comments (72)

  1. Anders says:

    Good news but the helpdesk does not seem to be up to date with the manual activation process. Below is the response I received.

    "According to the provided details on the case, I have discussed with my Technical Advisor on the Exchange Online Protection technology and he has informed me that this features hasn't been implemented yet ; in theory there have been some activations made, followed by occurring issues – it is still in production phase ; after deployment you should be able to activate it manually, or within the Office 365 portal; at the moment we do not have an exact time when this will be implemented."

  2. tzink says:

    Just tell them to create a support ticket and have it routed to the Antispam team.

  3. Dan Schultz says:

    Terry — thanks for the help in getting this set up and the clear presentation above. Now that I have fixed my own typos in my CNAMEs, I'm looking forward to putting this new feature to work.

  4. Brian Reid says:

    If we run the PowerShell cmdlet do we also need to open a support ticket?

  5. Dan Schultz says:

    Signing is enabled for my domains, but messages aren't being signed. I've removed email subdomains, which I'd set up long ago for testing & which were expendable. (I hadn't specified those domains for the DKIM config & decided to remove them to factor them out of the troubleshooting.)

    I then dis-/re-enabled signing for the one domain I really use, but still no signing. I think my DNS is good, both the CNAMEs I created and the TXTs generated by O365 (with the public keys, etc.)

    I considered removing the config and going the self-serve route, but there is no "Remove-DkimSigningConfig" — probably for good reason.

  6. Phillip Mango says:

    Hi Terry,

    Thanks for the post but i get the error message:

    Active Directory operation failed on AM2PR01A005DC04.EURPR01A005.prod.outlook.com. The object 'CN=domain.org,C

    N=Dkim Signing config,CN=Transport Settings,CN=Configuration,CN=domain.org.onmicrosoft.com,CN=ConfigurationUnits,D

    C=EURPR01A005,DC=prod,DC=outlook,DC=com' already exists.

    What should I do?

  7. Dan Schultz says:

    @Phillip — it sounds like Terry's team already set up your signing config, based on your request. Is your signing working?

  8. tzink says:

    To delete (or re-enable an existing) DKIM policy, you have to get creative with Powershell:

    $p=Get-DkimSigningConfig-Organization <domain>

    $p[0] | set-DkimSigningConfig –enabled $true

    OR

    Set-DkimSigningConfig –identity $p[0].identity –enabled $true

    Use $p[X] where X is the index of the policy.

  9. Andy says:

    What's wrong when >I get the error that New-DkimSigningConfig is not a valid object or cmdlet? Does that mean that this Feature is not rolled out to my Account yet? Or am I making a mistake?

  10. Terry Zink says:

    If the cmdlet is generating an error, open up a support ticket. It may be that your domain's forest is not enabled.

  11. MikeM says:

    I'm using my domain provider to host DNS for the vanity domain I'm using in Office 365. When I try creating the CNAMEs described above I'm getting the following error:

    Failed to validate args in method GAP::Dns::record_update

    Will this only work when Office 365 is hosting DNS for the vanity domain?

  12. John Spaid says:

    I had issues running the cmdlet, however support gave me another script to run than the normal connect to O365 one I have been using:

    $LiveCred = Get-Credential

    $Session=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri ps.outlook.com/powershell -Credential $LiveCred -Authentication Basic –AllowRedirection

    Import-PSSession $Session

    Seemed to get the job done. Took a bit to import everything.

  13. Where do I get DKIM keys for "domainkey"? says:

    Where do I get DKIM keys for "domainkey"?

  14. Terry Zink says:

    MikeM – you should contact your DNS provider, something is wrong on their side.

    For the previous commenter above this one, you don't need to generate your own DKIM keys, Office 365 takes care of all that.

  15. Joseph Palarchio says:

    Based on this implementation of DKIM, I assume there is no way to have a third-party send DKIM signed messages on our behalf correct?

  16. Joseph Palarchio says:

    FYI- If the DNS query fails when you first try to enable DKIM and then later the DNS query is successful, the DKIM configuration still shows a status of "CnameMissing".  It is in fact enabled and appears to be working fine but the status doesn't seem to update.  Possibly a bug?

  17. Incorrect or Changed Parameter? says:

    Following these directions, "-Organization" is not a valid parameter for Get-DkimSigningConfig. I have to use "-Identity" instead, and it works fine. Just me, or has the cmdlet been modified?

  18. tzink says:

    Joseph, for your first question, I'm not sure what you mean. This implementation of DKIM is for email originating out of your own tenant. Another customer cannot send email on your behalf with your domain in the From: address and d= field in the DKIM-Signature unless they sign it locally, and you set up DKIM keys and DNS records with them. But that's independent of this feature.

    We are working on the "CNAME missing" part, but it shouldn't affect a verifier's ability to authenticate your email.

  19. tzink says:

    To the comment above this one – I have updated the cmdlet. I mixed it up because what you as a customer types in is different than what I as a developer have to type when I try to debug someone's account.

  20. Clint Armstrong says:

    Is this considered production ready? I've implemented this about a week ago and today enabled DMARC records with p=none. I'm getting reports back from facebook and hotmail that some of Office 365's servers are not signing messages.

  21. Zyonix says:

    Thanks! Managed to set up DKIM signing, but Automatic Replies and Non-Delivery Receipts aren't signed with DKIM, and fails DMARC.

    Will those be signed with DKIM in future?

  22. Zyonix says:

    Sorry double checked, and NDRs are already signed properly.

    Automatic Replies are not signed, so automatic replies to external senders will fail DMARC.

  23. tzink says:

    @Zyonix: We're looking into how to ensure signing of automatic replies.

  24. Dries Vandenneucker says:

    I was so happy to see this and make us 100% DMARC compliant. Still dissappointed though… Powershell keeps giving errors on our domain. We can only activate for ourdomain.onmicrosoft.com, which fails DKIM aligment for DMARC…

  25. Dan Schultz says:

    Though I left it out of my prior post (re DKIM signing not occurring), my approach was to allow time for things to "bake in." Sure enough, signing is now functioning as expected.

  26. kjniemi says:

    Thanks for the easy to follow instructions. Worked on the first try. I've been waiting for this feature for quite some time 🙂

  27. James says:

    Is there a propagation time on the back-end before it'll start signing?  I'm rolling up on an hour and it's still not signing the outbound mail.  The DNS lookups on the TXT records show keys, and the powershell commands to enable it seemed to work …

  28. jp_sp says:

    Awesome! Great to see Office365 promoting DKIM – this way it becomes easily available also for small and medium businesses! We are currently trying DKIM, DMARC and SPF for our Domains on office365! I used your PowerShell instructions to set up DKIM, without any problem doing so…

    However, using dmarcian.com as a tool to observe DMARC results, I see that only about 50% of our outgoing mails are DKIM signed (SPF pass 100%) – those are messages originating from *.outbound.protection.outlook.com Servers…

    Is this intentional behavior so before rolling it out officially? Or is this an unknown issue limited to our domains? Anybody else observing this ?

  29. jc says:

    Hello Terry,

    I have done the first step following your instruction exactly as you described to add CNAME to DNS, however at the second step when I clicked "Enable" DKIM signature, I got error message "CNAME record does not exist for this config. Please publish a CNAME record first.".  But I have the CNAME published!

    Did I miss anything?

  30. jc says:

    jc again – just to add additional information —

    CNAME has been added to DNS since last week.

    DKIM works for "s=selector1-domain-com; d=domain.onmicrosoft.com" scenario, but not signing by the actual domain "domain.com"

    I sent a test to gmail, it showed:

    mailed-by: domain.com

    signed-by: domain.onmicrosoft.com

    How can I get "signed-by: domain.com" to show up?

  31. tech86 says:

    After DKIM Outbound Signing is enabled and now I want my MFP device to send email to an Internal or External using Client Submission relay then what are the steps to make sure that it will not cause false positive.

  32. tzink says:

    I need to look into why this behavior is the way it is. I provisioned a new subdomain under my own tenant, but I don't have the option to enable DKIM for it in the UX. It could be a propagation time thing. Stay tuned.

  33. jc says:

    @tzink

    How do I publish the CNAME?

    Error: "CNAME record does not exist for this config. Please publish a CNAME record first."

  34. tzink says:

    @jc: I have to open a bug on that, I don't know why it is saying that.

  35. jc says:

    @tzink

    Thanks – keep me posted!

  36. tzink says:

    I tried provisioning a new domain, setting up the CNAMEs, and then enabling DKIM. I got an error saying the CNAME wasn't published. Hoewver, I was able to fix it.

    If you have problems getting the DKIM enabled, please ensure that you have the correct CNAMEs published. You require two of them. If your domain is contoso.com and the initial domain is contoso.onmicrosoft.com, the CNAMEs will look like this:

    selector1._domainkey.contoso.com IN CNAME selector1-contoso-com._domainkey.contoso.onmicrosoft.com

    selector2._domainkey.contoso.com IN CNAME selector2-contoso-com._domainkey.contoso.onmicrosoft.com

    If the DKIM policy exists but is not enabled, you can see the names of the CNAMEs by running the following Powershell cmdlet:

    Get-DkimSigningConfig | fl Domain,Selector1CNAME,Selector2CNAME

    Domain         : contoso.com

    Selector1CNAME : selector1-contoso-com._domainkey.contoso.onmicrosoft.com

    Selector2CNAME : selector2-contoso-com._domainkey.contoso.onmicrosoft.com

    Domain         : fabrikam.com

    Selector1CNAME : selector1-fabrikam-com._domainkey.contoso.onmicrosoft.com

    Selector2CNAME : selector2-fabrikam-com._domainkey.contoso.onmicrosoft.com

    Once you have the CNAMEs published, wait a little while for DNS to replicate and then try again to enable using the cmdlets in the blog post, or through the UX.

  37. jc says:

    @tzink

    Thanks for getting back to me on the issue.  My situation is a bit different.  

    I have added the following to my DNS:

    selector1._domainkey.contoso.com IN CNAME selector1-contoso-com._domainkey.contoso.onmicrosoft.com.

    selector2._domainkey.contoso.com IN CNAME selector2-contoso-com._domainkey.contoso.onmicrosoft.com.

    and DKIM signing for contoso.onmicrosoft.com domain is enabled.

    However I need to enable DKIM signing for contoso.com domain.  I got the DNS information from Domain Settings of the domain list as follows:

    type: TXT

    host: selector1-contoso-com._domainkey

    value: v=DKIM1; k=rsa; p=MIGfMA…; n=1024,1450427490,1466238690

    I changed to CNAME to

    selector1._domainkey.contoso.com IN CNAME selector1-consoto-com._domainkey.contoso.com.

    selector2._domainkey.contoso.com IN CNAME selector2-consoto-com._domainkey.contoso.com.

    After pointing the selector1 to select1-consoto-com, I still get "CNAME record does not exist…" error, did I miss anything?

  38. jc says:

    There are some spelling errors in my last post:

    all should be "contoso" instead of "consoto"

  39. tzink says:

    @jc: Please contact me via the "Contact me" link with your tenant domain and I will take a look.

    blogs.msdn.com/…/contact.aspx

  40. Andrzej says:

    Hi Terry,

    I tried to follow instructions in this blog post, but in the UX (for all domains in protection -> dkim) the status is "No DKIM keys saved for this domain". Should I contact the support or is there anything I should do first? I tried to verify if selector1-<our domain-com>._domainkey.<initial domain>.onmicrosoft.com has a TXT record, but it doesn't exist (selector2 also doesn't exist).

    Thanks,

    Andrzej

  41. Herydis says:

    Haven't we need a DNS policy record for DKIM ?

    I mean a public DNS record in this format _DomainKey pointing to o=- or o=~ ?

    Is the initial domain the one in xxxx.onmicrosoft.com ?

  42. tzink says:

    @Andrzej

    Please make sure you (1) create the CNAME records in your DNS (make sure you get the syntax right, many people get this wrong) and (2) make sure you hit 'Enable' in the UX.

    If that doesn't work, open a support ticket.

  43. tzink says:

    @Herydis

    You don't need an o=<whatever>, that is for Author Domain Signing Policies (ADSP) which no one uses and isn't required. It is superseded by DMARC.

    The initial domain is the xxx.onmicrosoft.com.

  44. Bill says:

    I don't even have a "DKIM" in the UX on my EOP account, does that mean I cannot use it?  

  45. Andrzej says:

    Hi again Terry,

    I did create the DNS records first, but apparently the records in onmicrosoft.com domain (selector1-<our domain-com>._domainkey.<initial domain>.onmicrosoft.com and selector2-<our domain-com>._domainkey.<initial domain>.onmicrosoft.com) are not created until you run: New-DkimSigningConfig -DomainName <our domain.com> -Enabled $true. The same goes for the GUI/UX – until you execute the PowerShell command I provided you are NOT be able to enable DKIM in the UX/GUI. You will only see a message "No DKIM keys saved for this domain." This seems to me to be a bug as running the PowerShell command shouldn't be needed. However, at this point you have to run it as it is the only way to create the DKIM keys. Once you run the PowerShell command you can disable and (re-)enable DKIM in the UX/GUI.

    Cheers,

    Andrzej

  46. Junaid says:

    $p=Get-DkimSigningConfig –identity <domain>

    $p[0] | set-DkimSigningConfig –enabled $true  –> Shouldn't this be $false?

  47. Jose Galego says:

    My tenant is already configured, the UI shows "Enable", but the e-mails never get signed.

    Already have a support open (SRX616011194468149ID) since 01/10/16, but until now, nothing got signed.

  48. Jose Galego says:

    Sorry it shows "Enabled"

    And thicket: SRX616011194468149ID

  49. Waht about Plesk DNS? says:

    Plesk is not accepting this solution with cname. What to do?

  50. Ace says:

    I enabled DKIM on one of my domains (Office 365 Enterprise Plan). Using DKIM checkers and gmail, DKIM showed as pass, but on yahoo mail the received mail message header showed dkim=temperror (key retrieval failed).

    Another domain I controlled (Office 365 Business Premium) did not have such a problem. The message header showed dkim=pass (ok)

    Why would this be the case?

    In addition, I thought maybe if I rotated the keys, it might pass Yahoo's check. I tried to rotate DKIM keys on the Exchange admin interface and it was not able to do so

  51. Carol says:

    Terry, this record syntax works great on the primary tenant domain, but it's not working on the subtenant domains (which we own). How do you create the record for the subtenant domains?  Thanks!

  52. Dean says:

    Terry,

    I can confirm what Jose, Ace, and Carol have described above (I too have a support ticket open and the engineers have no idea what is going on). There is something on the back-end of Office 365 that is not working correctly, as the messages come across as not signed.

    Dean

  53. Jose Galego says:

    In our case, our tenant was not enabled for DKIM. After scaling it to the enginners, they manged to enable it manually. This took +/- 25 days, so insist on the Service Request.

    Now it is working 100%.

  54. Michelle says:

    How do i generate the signature to put in DNS when creating the cname?

  55. tzink says:

    @Michelle

    As I explain in this blog post, you don't generate a signature. We do that for you, all you need to do is (a) create the CNAME, and (b) enable DKIM signing in the Office 365 Admin portal.

  56. Shankar dayal says:

    we are using exchange online for mail service. but from past few days it has been seen that our mails are not getting delivered to few external domains. on tracing it has been found that , mails are deliverable due to "550-DKIM: encountered the following problem validating xxxx.onmicrosoft.com: 550 bodyhash_mismatch”  

    can any one help me on this ?

  57. N says:

    In the example you provided, Fabrikam’s CNAME record discloses its relationship to Contoso (because the initial domain for the tenant was contoso.onmicrosoft.com).  Is there a way to avoid revealing that a domain is provisioned on the same Office365 tenant as another domain?

  58. Rex says:

    So, say, I have a handful of hmail servers.
    And I want to use the same signing key with those and 365.
    And, maybe, want to actually have control over my own dkim record.

    Is there a way to import/export a particular key?

    1. tzink says:

      @Rex: No, there’s no way to bring your own key into Office 365, or export your private key. It isn’t necessary, you can always generate a new public/private keypair and publish them at a different selector.

  59. Andy Cooper says:

    I didn’t have an issue getting this going with a domain DNS on Godaddy. However, two other domain DNS provders are unable to create the CNAME.

  60. Johnny says:

    When i add the CNAME to my DNS provider, it says

    selector2-contoso-com._domainkey.contoso.onmicrosoft.com is an invalid hostname

    (obviously i have replaced contoso-com with my own domain, but it seems like my DNS provider doesn’t like the _ in the hostname)

    1. tzink says:

      I recommend opening up a support ticket with your DNS provider. There’s nothing syntactically wrong with an underscore in a CNAME, especially since other host providers do it (e.g., GoDaddy is my personal provider and they do it).

    2. Iqbal Khan says:

      if your dns provider is networksolutions, you would have call and ask them to add

  61. Iqbal Khan says:

    I have added the CNAMES yesterday and enabled the DKIM this morning around 12:00 pm all configurations seems dandy but emails aren’t being signed. Tier1 support has no clue after showing all configuration and unable to escalate the issue. I would appreciate anyone’s help. here are some settings and header info:

    > Get-DkimSigningConfig -Identity xxxxxxxxx.com | Format-List

    RunspaceId : 2a9c123b-6313-4851-8f77-bc55b393b25b
    Domain : xxxxxxxx.com
    AdminDisplayName :
    Selector1KeySize : 1024
    Selector1CNAME : selector1-xxxxxx-com._domainkey.xxxxxx.onmicrosoft.com
    Selector1PublicKey : v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCewshtK+0SFSnizda5Qw9SjkusvdvIik
    43mzgA+lRzSoMHqU1OOQUYjtVN4lmgwUR2RASHuk7FIaYR9eFFkvz9v+RKSHC1QGQW7873jkcRMxXdtlTcJrV1Id
    bbcdCIq5rUVF00HSoEyIsAWSVsSpm5YAeDGQNuJM53wsxn3qcjgQIDAQAB; n=1024,1460291642,1476102842
    Selector2KeySize : 1024
    Selector2CNAME : selector2-xxxx-com._domainkey.xxxxxx.onmicrosoft.com
    Selector2PublicKey : v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgINpd2UgtOXPu0s/dgxss2BJZ3V8pYP
    hUwzwOdxmyk3phsMDTC2YN2MEkJ1hJBdJsbxh+CoKyRhFyBnW/3XfY/eXJULFb/mnwgoabfCnrn/nQ0ojFDrI4ys
    OPx1af1JHG5Xu1tgVoq+TzomHGgOg7Ns7bU161tBCworYuErC9zQIDAQAB; n=1024,1460291642,1476102842
    Enabled : True
    IsDefault : False
    HeaderCanonicalization : Relaxed
    BodyCanonicalization : Relaxed
    Algorithm : RsaSHA256
    NumberOfBytesToSign : All
    IncludeSignatureCreationTime : True
    IncludeKeyExpiration : False
    KeyCreationTime : 4/10/2016 12:34:02 PM
    LastChecked : 5/18/2016 9:46:06 PM
    RotateOnDate : 4/10/2016 12:34:02 PM
    SelectorBeforeRotateOnDate : selector2
    SelectorAfterRotateOnDate : selector1
    Status : Valid
    Identity : xxxxxxx.com
    IsValid : True
    ExchangeVersion : 0.20 (15.0.0.0)
    Name : xxxxxxxxx.com
    DistinguishedName : CN=xxxxxxxxx.com,CN=Dkim Signing config,CN=Transport Settings,CN=Configuration,CN=caret
    ocare.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR11A002,DC=PROD,DC=OUTLOOK,DC=COM
    Guid : 07e882e2-3f88-4b23-bd09-b8e3933d6c9a
    ObjectCategory : NAMPR11A002.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Hosted-Content-Filter-Config
    ObjectClass : {top, msExchHostedContentFilterConfig}
    WhenChanged : 5/18/2016 5:46:06 PM
    WhenCreated : 4/10/2016 8:34:03 AM
    WhenChangedUTC : 5/18/2016 9:46:06 PM
    WhenCreatedUTC : 4/10/2016 12:34:03 PM
    OrganizationId : NAMPR11A002.PROD.OUTLOOK.COM/Microsoft Exchange Hosted
    Organizations/xxxxxxxxx.onmicrosoft.com –
    NAMPR11A002.PROD.OUTLOOK.COM/ConfigurationUnits/xxxxxxxxx.onmicrosoft.com/Configuration
    Id : xxxxxxxxx.com
    OriginatingServer : SN1PR11A002DC04.NAMPR11A002.PROD.OUTLOOK.COM
    ObjectState : Unchanged

    Authentication-Results: mx.google.com;
    dkim=pass header.i=@xxxxxxx.com;
    spf=pass (google.com: domain of xxx.xxxx@xxx.com designates 207.46.100.68 as permitted sender) smtp.mailfrom=xxx@xxxx.com
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxxx.com;
    s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version;
    bh=FtpW0ZixWWyqD3m6Y8Ytmu8sObPzNazhhoNY0G+5cGg=;
    b=BmigGlzsWelUNkI/uB7w5wb897owsz3GKixsk8YeiQE4MGPX+ImV7PRQFi6P8n5SvMUWTie4m8sOzUh6mZDRvGp6Z0+kPqxnLF16qMK7WkQqZ1LEVPWBSjAtDMX7PouIaG2N8iLV4I7Jil3jJN3gFKZ6kgADi+XX2iIW5sCGuaM=
    Authentication-Results: gmail.com; dkim=none (message not signed)
    header.d=none;gmail.com; dmarc=none action=none header.from=xxxxxx.com;

    real domain and email address are being replaced with xxxxx
    the line before the last says dkim=none (message not signed). It has been over 6 hours since I enabled dkim and still not sigingng.
    Thank you in advance for your help.

    1. tzink says:

      Looks like the signature is being applied:

      DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxxx.com;
      s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version;

      The bottom Authentication-Results header is EOP’s header when you sent the message outbound; the message when it first arrives into EOP does not have a DKIM signature, but is applied when it is relayed out. You can see that Google verified it above.

      1. Iqbal Khan says:

        I forgot to mention that we are sending we are sending encrypted email and recipients are not able to retrieve the message because last tow url in encrypted message being stripped out by their email content filter. show showing error below.
        =’Authentication-Results: xxx.org; dkim=none (message not signed) header.d=none;xxx.org; dmarc=none action=none header.from=xxxx.com; Received: from CY1PR11MB0170.namprd11.prod.outlook.com (10.160.228.12)

        Thank you for you help.

  62. How long does it take for the Enable/Disable option to show up after adding this domain to my tenant? so far it’s not there after 1hour.

  63. Mario says:

    Can you confirm that domains with a dash in between are supported to enable DKIM in office 365?
    my current customer has a my-domain.com and we’re having issues adding the records in godaddy.

    1. tzink says:

      Yes, domains with a dash can use DKIM. The dash is replaced with some letter/number characters similar to the way it is in the MX record.

  64. Karthikeyan says:

    I am trying to enable DKIM for my domain with Office 365. I have set the C name records on the host. When I try to enable DKIM under Protection tab, it just displays ‘No DKIM keys saved for this domain’.

    1. tzink says:

      Karthikeyan, try connecting to your tenant using Powershell and use the “Get-DkimSigningConfig | fl *CNAME*” cmdlet associated with the domain you are trying to enable. Make sure that you don’t have any typos.

Skip to main content