First, why we need the DKIM (DomainKeys Identified Mail). Most of the administers doesn’t have any idea why Security Analyzing or Security Team ask them to enable DKIM for their Custom O365 email Domains.

We all know about the Snooping emails. Someone hiding/faking there original identity and sending mails call Snooping Email. In the O365 we are configuring SFP (Sender Policy Framework) to help prevent spoofing our domain. SPF helps to validate outbound email send from your custom domain.

Exchange OnlineTXTinclude:spf.protection.outlook.com

We add above SPF TXT record in our Domain when we are verifying our domain.

DKIM works better than SPF alone to Prevent Malicious Spoofing. That why Security expect ask to enable DKIM.

How this is work?

let say your custom O365 domain is pathumudana.com. when a mail send to a lasi@contoso.com. contoso.com mail server will looks up for SPF or DKIM TXT Records and finds out whether the mail is vaild or not. if the recipient email server fail to Validated the records, contoso mail server will reject the message as Spam.

if your emails are delivery to Spam box. SPF or DKIM will help you to Prevent that.

Lets configure

DKIM DNS records can find on the Exchange admin Center.

Exchange Admin Center > Protection > DKIM ( select the custom domain)

Sample Records :

selectorl -pathumudana-com._domainkeypathumudanaoutl 
selectorl ._domainkey.pathumudana.com. 
selector2-pathumudana-com._domainkeypathumudanaoutl 
selector2._domainkey.pathumudana.com. 
IN 
IN 
CNAME 
ook.onmicrosoft.com 
CNAME 
ook.onmicrosoft.com 
Edit 
Delete 
Edit 
Delete

Once we add the DNS Records. we can enable the DKIM

selectorl -pathumudana-com._domainkeypathumudanaoutl 
selectorl ._domainkey.pathumudana.com. 
selector2-pathumudana-com._domainkeypathumudanaoutl 
selector2._domainkey.pathumudana.com. 
IN 
IN 
CNAME 
ook.onmicrosoft.com 
CNAME 
ook.onmicrosoft.com 
Edit 
Delete 
Edit 
Delete

Q&A

Question : Do we need to Enable DKIM for Onmicrosoft.com domain

Answer: No, its manage by Microsoft and they will enable it default.