This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 38%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Hi
My main domain does not have standard office365 DKIM records in place.
I am going to add these and then sign them via the office 365 portal
The following DKIM records will be added to our external DNS
selector1._domainkey CNAME selector1-ourdomain-co-uk._domainkey.ourmaintenant.onmicrosoft.com
selector2._domainkey CNAME selector2- ourdomain-co-uk._domainkey.ourmaintenant.onmicrosoft.com
My question is would this have any negative impact on our mail flow? Or is this purely a security thing that is required to stop spoofing etc from our domain?
The send grid emails will not be affected since they are not actually sent though your tenant.
Only messages sent though 365 will get a DKIM stamp.
However, if send grid messages ( and any other 3rd party mailers) are sending as your domain and stamping a DKIM signature as your domain and you dont have CNAME set up for those messages in your external DNS , those messages will fail DKIM. ( The would be doing that before as well if that was case)
Make sense?
Hi Andy
That make sense but as you indicate messages that mailers are sending and stamping as our domain will already be failing DKIM anyway if we don't have the mailer specific CNAME records in DNS.
So in that when we go ahead and add these two standard cname dkimn records nothing really changers?
I.e. no visible user impact?
Correct, no user impact. If anything, it will improve deliverability for messages sent from 365
Thanks again Andy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Do you have any other questions?
Hi, sure, np. Please mark an answer as accepted so this can be closed. Thanks!
To my understanding, the two CNAME records are using to locate and retrieve the public key to decode the DKIM signature in the message headers.
This step should be completed before you enable DKIM signing for your custom domain, which uses a private key to insert an encrypted signature into the message headers.
Thus it shouldn't have any impact on the mail flow.
Following these two steps is how you set up DKIM, which would help with preventing spoofing from your domain:
Publish two CNAME records for your custom domain in DNS
To enable DKIM signing for your custom domain in the Microsoft 365 Defender portal
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Do suggestions above help?
If you have any questions or needed further help on this issue, please feel free to post back.
Hi
How would this affect any mailers we have in place at the moment?
For example we use Sengrid and emails go out from them as our domain. These are spoofed.
I guess that will not be affected as the messages are coming out from Sengrids domain and not ours?