Adding standard Office365 DKIM

Henrik Brown 1 Reputation point


My main domain does not have standard office365 DKIM records in place.

I am going to add these and then sign them via the office 365 portal

The following DKIM records will be added to our external DNS

selector1._domainkey CNAME
​​selector2._domainkey CNAME selector2- ​

My question is would this have any negative impact on our mail flow? Or is this purely a security thing that is required to stop spoofing etc from our domain?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,440 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Andy David - MVP 143.8K Reputation points MVP

    The send grid emails will not be affected since they are not actually sent though your tenant.
    Only messages sent though 365 will get a DKIM stamp.

    However, if send grid messages ( and any other 3rd party mailers) are sending as your domain and stamping a DKIM signature as your domain and you dont have CNAME set up for those messages in your external DNS , those messages will fail DKIM. ( The would be doing that before as well if that was case)

    Make sense?

    1 person found this answer helpful.

  2. Andy David - MVP 143.8K Reputation points MVP

    Correct, no user impact. If anything, it will improve deliverability for messages sent from 365

    1 person found this answer helpful.

  3. Kael Yao-MSFT 37,586 Reputation points Microsoft Vendor

    Hi @Henrik Brown

    To my understanding, the two CNAME records are using to locate and retrieve the public key to decode the DKIM signature in the message headers.

    This step should be completed before you enable DKIM signing for your custom domain, which uses a private key to insert an encrypted signature into the message headers.
    Thus it shouldn't have any impact on the mail flow.

    Following these two steps is how you set up DKIM, which would help with preventing spoofing from your domain:
    Publish two CNAME records for your custom domain in DNS
    To enable DKIM signing for your custom domain in the Microsoft 365 Defender portal

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. Henrik Brown 1 Reputation point


    How would this affect any mailers we have in place at the moment?

    For example we use Sengrid and emails go out from them as our domain. These are spoofed.

    I guess that will not be affected as the messages are coming out from Sengrids domain and not ours?

    0 comments No comments