In order to enable DKIM signing for outbound emails in your Office 365 subscription, you first need to have a couple of CNAME records added to DNS zones your mail domains. Below is what's required to be added.
Host Name Points To Address Or Value TTL
selector1._domainkey selector1-<domainGUID>._domainkey.<initialDomain> 3600
selector2._domainkey selector2-<domainGUID>._domainkey.<initialDomain> 3600
  • domainGUID is created from your mail domain. For example, for the domain, the domainGUID would be "example-com".
  • initialDomain is the tenant address you created at the time you signed up with Office 365. It would be something similar to ""
Keep in mind that you will have to add above required CNAME records to each vanity domains in Office 365. Once you have configured your DNS records, follow below steps to enable it from the admin portal.

  1. Navigate to Exchange Admin -> protection -> dkim
  2. Select the domain you want to enable DKIM
  3. On the right hand side you'll see current status of DKIM for selected domain. Click on the Enable link.
  4. In few seconds, you'll see on the status section that DKIM is now enabled.
If you want to achieve this using PowerShell, follow below steps.

  1. Connect to Exchange Online through PowerShell.
  2. Run; "New-DkimSigningConfig –DomainName <domainName> –Enabled $true"
Again, you'll have to have above required CNAME records to be present in your domain's DNS zone for above command to work. If the DNS records haven't configured you'll see below error. If you have added required DNS records, and if you still receive below error, wait until your changes propagate.


If you received above error due to either of reasons I've mentioned and now you have corrected them, run below command.

"Set-DkimSigningConfig -Identity <domainName> -enabled $true"