Enable DKIM signing in Microsoft 365 Defender and publish CNAME records to allow Microsoft to sign outgoing email with your domain.
CNAME
selector1._domainkey
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
You need two CNAME records: selector1._domainkey and selector2._domainkey. Replace yourdomain-com and yourtenant with your actual values.
Go to security.microsoft.com and sign in with your admin account. Navigate to Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM.
Click on your custom domain in the DKIM page. Microsoft will display the two CNAME records you need to publish.
Create two CNAME records in your DNS provider with the host names and values shown by Microsoft.
selector1._domainkey CNAME selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
selector2._domainkey CNAME selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.comReturn to the Microsoft 365 Defender DKIM page and toggle the "Sign messages for this domain with DKIM signatures" switch to Enabled.
Send a test email and check the headers. Look for DKIM-Signature with d=yourdomain.com and a pass result in Authentication-Results.
After adding your DNS records, use our free DKIM checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.
Microsoft 365 uses selector1 and selector2 as DKIM selectors. Both are published as CNAME records pointing to Microsoft-managed keys under your tenant's onmicrosoft.com domain.
Yes. Because the DKIM records are CNAMEs pointing to Microsoft-managed DNS, Microsoft can rotate the underlying keys without requiring you to update your DNS records.
CNAME records allow Microsoft to manage and rotate the DKIM keys on their side without requiring customers to update DNS records each time a key rotation occurs.