How To's Microsoft 365

How to Add DKIM and DMARC for Domain in Microsoft 365

Ensuring the security and authenticity of your emails is crucial for protecting your organization from phishing and spoofing attacks. DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) are two essential protocols for email security. This guide will walk you through the steps to add DKIM and DMARC for your domain in Microsoft 365.

Step-by-Step Guide to Add DKIM and DMARC for Domain in Microsoft 365


Before you start, ensure you have the following:

  • Admin access to your Microsoft 365 account.
  • Access to your DNS hosting provider to update DNS records.

Step 1: Enable DKIM in Microsoft 365

1.1 Access the Microsoft 365 Admin Center

  1. Open your web browser and go to the Microsoft 365 Admin Center.
  2. Sign in with your admin credentials.

1.2 Navigate to DKIM Settings

  1. In the left-hand navigation pane, select Show all to expand the menu.
  2. Go to Security and then select Threat management.
  3. Click on Policy and choose DKIM under the Email authentication section.

1.3 Configure DKIM for your Domain

  1. Select your domain from the list.
  2. Click Enable to start the DKIM configuration process.
  3. Microsoft 365 will prompt you to add CNAME records to your DNS provider. Note down the provided CNAME values.

Step 2: Add DKIM CNAME Records to Your DNS Provider

  1. Log in to your DNS hosting provider’s portal.
  2. Navigate to the DNS management section for your domain.
  3. Add two CNAME records using the values provided by Microsoft 365:
    • Record 1:
      • Name: selector1._domainkey
      • Type: CNAME
      • Value:
    • Record 2:
      • Name: selector2._domainkey
      • Type: CNAME
      • Value:
  4. Save the changes to your DNS records.

Step 3: Verify and Enable DKIM in Microsoft 365

  1. Return to the DKIM settings in the Microsoft 365 Admin Center.
  2. Click Refresh to check the status of the CNAME records.
  3. Once the records are verified, click Enable to activate DKIM for your domain.

Step 4: Configure DMARC for Your Domain

4.1 Create a DMARC Record

  1. In the DNS management section of your DNS hosting provider, create a new TXT record with the following details:Replace with your actual domain and modify the email addresses as needed for your reporting preferences.
  2. Save the changes to your DNS records.

Step 5: Monitor and Adjust DMARC Policy

  1. Allow some time for the DNS changes to propagate.
  2. Monitor the reports sent to the email addresses specified in the DMARC record.
  3. Based on the reports, adjust your DMARC policy from p=none to p=quarantine or p=reject to enforce stricter handling of unauthenticated emails.

Additional Tips

  • Testing: Start with a p=none policy to monitor email flow without impacting delivery.
  • Incremental Enforcement: Gradually move to stricter policies (quarantine and reject) as you gain confidence in your email authentication setup.
  • Regular Monitoring: Regularly review DKIM and DMARC reports to ensure ongoing email security.


By following these steps, you can enable DKIM and DMARC for your domain in Microsoft 365, enhancing the security and integrity of your organization’s email communications. If you have any questions or need further assistance, feel free to leave a comment below.

Post Comment