DKIM Setup for Microsoft 365 Tenants
January 9, 2026 • InboxGreenEmail Team
🚨 DKIM issues can silently kill replies.
If opens dropped, replies disappeared, or bounces increased, treat it as an incident. Run the scan and get a fix path.
No signup required. Works on any domain.
DKIM Setup for Microsoft 365 Tenants
Setting up DKIM for your Microsoft 365 tenant can feel like a daunting task, especially if you are new to email authentication. However, it is crucial for ensuring your emails land in the inbox rather than the spam folder. DKIM, or DomainKeys Identified Mail, adds a digital signature to your emails, allowing receiving servers to verify that the email was indeed sent by you and has not been altered in transit. When this is correctly configured, it enhances your domain's reputation and improves inbox placement. If you are experiencing bounced emails, spam folder placements, or warnings in Gmail, it is time to take DKIM seriously.
At a glance
- This problem affects SaaS founders, marketers, and technical teams managing email.
- This article will guide you through the DKIM setup process for Microsoft 365.
- Following these steps will enhance your email deliverability and domain reputation.
When this problem shows up in real life
Imagine you are sending out an important marketing email to your subscribers, only to find out later that many of them landed in the spam folder. You check your email logs and see entries like this:
SMTP: 550 5.7.1 Unauthenticated email from yourdomain.com is not accepted due to domain's DMARC policy.This indicates that your DKIM setup might be missing or incorrect. Another example could be examining the headers of an email sent from your domain, where you notice:
Authentication-Results: mx.example.com; dkim=fail (bad signature) [email protected]This suggests that the DKIM signature is not valid, possibly due to a missing or misconfigured DNS record. These real-life scenarios highlight the importance of proper DKIM configuration.
Step by step: DKIM setup for Microsoft 365
- Access your Microsoft 365 admin center
Log in to your Microsoft 365 admin center. You will need global admin permissions to make changes.
- Navigate to the DKIM settings
Go to Exchange Admin Center > Protection > dkim.
- Enable DKIM for your domain
Select the domain for which you want to enable DKIM. Click on Enable.
- Update your DNS records
You will need to create two CNAME records in your DNS provider. Here is what they typically look like:
selector1._domainkey.yourdomain.com CNAME selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.comselector2._domainkey.yourdomain.com CNAME selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.comReplace yourdomain.com with your actual domain name.
- Verify the DNS records
After adding the records, it may take some time for DNS changes to propagate. Use a tool like the InboxGreen checker to verify the DKIM setup.
Common mistakes
- Missing CNAME records
Symptom: DKIM fails with a "bad signature" message.
Cause: You did not add the required CNAME records in your DNS.
Fix: Ensure both CNAME records are correctly set up in your DNS provider.
- Incorrect selector names
Symptom: Emails are still landing in spam.
Cause: The selector name in your DNS does not match the one Microsoft 365 is using.
Fix: Double-check the selector names in your DKIM settings and update your DNS records accordingly.
- Propagation delays
Symptom: DKIM appears to be set up, but it is not working.
Cause: DNS changes can take time to propagate.
Fix: Wait a few hours and then recheck your DKIM status using the InboxGreen checker.
- Not enabling DKIM
Symptom: DKIM is not functioning even after DNS records are set.
Cause: DKIM needs to be enabled in the Microsoft 365 admin center.
Fix: Go back to the DKIM settings and ensure it is enabled for your domain.
Troubleshooting when it still fails
- DKIM signature fails → likely cause: DNS records not found
What to try next: Use the DKIM Checker to see if your DNS records are correctly set.
- Emails still go to spam → likely cause: DMARC misconfiguration
What to try next: Check your DMARC settings to ensure they align with your DKIM setup.
- Authentication-Results header shows failure → likely cause: Invalid signature
What to try next: Review the DKIM selector and ensure it matches the records in your DNS.
- Recent changes not reflecting → likely cause: DNS caching
What to try next: Check your DNS TTL settings and consider flushing your DNS cache.
Related checks you should run
- Verify SPF, DKIM, and DMARC alignment.
- Check DNS TTL settings and propagation delays.
- Monitor domain reputation, bounces, and spam reports.
- Evaluate your list quality and engagement patterns.
FAQ
Why is DKIM still failing on Microsoft 365 after I added the record?
This could be due to several reasons, including incorrect CNAME records, propagation delays, or DKIM not being enabled in the Microsoft 365 admin center. Double-check your DNS records and ensure DKIM is active.
How long do DNS changes take to apply on Microsoft 365?
DNS changes can take anywhere from a few minutes to 48 hours to propagate fully. It often depends on your DNS provider's TTL settings.
Can I use more than one DKIM selector with this setup?
Yes, you can use multiple DKIM selectors. This is useful for rotating keys or if you have different services sending emails on behalf of your domain.
What should I do if my DKIM signature is valid but emails still go to spam?
If your DKIM signature is valid, check your DMARC settings and ensure they align with your DKIM and SPF records. Also, look into your domain's reputation and engagement metrics.
What to do next
Now that you have set up DKIM for your Microsoft 365 tenant, it is essential to monitor its performance. Use the InboxGreen checker to verify your DKIM configuration and ensure everything is working smoothly. Regular checks will help maintain your domain's reputation and improve email deliverability.
Free Deliverability Scan
Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.