DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email sent from your domain. The receiving server checks this signature against a public key in your DNS to verify the message is genuine and hasn’t been tampered with. DKIM is required by Google and Microsoft for reliable inbox delivery. You’ll need admin access to your email platform and access to your domain’s DNS settings.
Setting Up DKIM for Microsoft 365
By default, M365 signs outbound email with a Microsoft domain, you need to enable DKIM signing for your own custom domain.
Step 1 — Generate the DKIM keys
- Go to the Microsoft Defender portal at security.microsoft.com
- Navigate to Email & collaboration > Policies & rules > Threat policies > Email authentication settings
- Select the DKIM tab, click on your custom domain, and click Create DKIM keys
Step 2 — Add the CNAME records to your DNS
Microsoft will provide two CNAME records. Add both to your domain’s DNS:
| Type | Host / Name | Points to |
| CNAME | selector1._domainkey | Copy from Defender portal |
| CNAME | selector2._domainkey | Copy from Defender portal |
Step 3 — Enable DKIM signing
Wait for DNS propagation (up to 48 hours, usually faster), then go back to the Defender portal > DKIM tab and toggle Sign messages for this domain with DKIM signatures to Enabled.
Setting Up DKIM for Google Workspace
Step 1 — Generate the DKIM key
- Sign in to the Google Admin Console at admin.google.com
- Navigate to Apps > Google Workspace > Gmail > Authenticate email
- Select your domain and click Generate New Record
- Leave the key bit length at 2048 and the prefix selector as google, then click Generate
Step 2 — Add the TXT record to your DNS
Google will display a TXT record value. Add this to your DNS:
| Type | Host / Name | Value |
| TXT | google._domainkey | Copy the full value from the Admin Console |
Step 3 — Start authentication
Wait for DNS propagation (up to 48 hours, usually faster), then go back to Admin Console → Gmail → Authenticate email and click Start Authentication. If the button is greyed out, the DNS record hasn’t propagated yet.
Verifying DKIM Is Working
Send a test email to an external address (e.g. a personal Gmail account) and check the message headers for dkim=pass in the Authentication-Results. You can also use MXToolbox DKIM Lookup, enter your domain and selector (selector1 for M365, google for Google Workspace).
Next Steps
Make sure your wider email authentication is also in place; see our guides on How to Set Up DMARC for Your Domain
Need Help with Email Authentication?
We configure and troubleshoot SPF, DKIM, and DMARC for businesses — ensuring your emails are authenticated, your domain is protected, and your messages reach the inbox.
Speak to an expert