how to make DKIM and DMRC enabled

Question

i see that the default domain is set us default in DKIM option, though the custom domain was added and set as default in domain, I dont see the custom domain just only onmicrosoft.com so not able to enable DKIM.

Also about the DMARC what should be the default value which should be updated on domain provider?

Answer 1

Hi @RaGau

Thank you for posting your question in Microsoft Q&A. 

Based on the information you described, I understand that:

You are trying to enable DKIM for a custom domain in Microsoft 365, but in the DKIM settings you only see the default onmicrosoft.com domain. Even though the custom domain has been added and set as the default domain in the tenant, it does not appear in the DKIM configuration.

Based on my research, DKIM for Microsoft 365 is only available for custom domains once all required DNS configurations are fully completed. If the custom domain has not finished these prerequisite steps, Microsoft 365 will only display the default onmicrosoft.com domain in the DKIM settings.

As a first step, please check that your custom domain is in a “Healthy” state in the Microsoft 365 Admin Center. The domain must have all required DNS records properly configured, including:

• MX record
• SPF record
• Domain verification record

If the domain has already been verified and shows as healthy, the next step before enabling DKIM is to add the two required DKIM CNAME records at your DNS provider. After creating these records, please allow some time for DNS propagation.

Once the CNAME records are in place, you can enable DKIM by navigating to: Microsoft Defender Portal > Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM and then turning on DKIM for your custom domain.

Please refer the following document: Set up DKIM to sign mail from your cloud domain

Regarding DMARC, you may refer to the following Microsoft documentation for more details:

Set up DMARC for active custom domains in Microsoft 365

I hope this information helps clarify the issue and guides you through the correct configuration steps.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".      

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. 

Answer 2

To enable DKIM for your custom domain in Microsoft 365, you need to ensure that the domain is properly configured and that the necessary CNAME records are set up in your DNS. Here are the steps you should follow:

1. Verify Domain Addition: Make sure your custom domain is added to Microsoft 365. You can check this by running the command Get-AcceptedDomain in Exchange Online PowerShell.
2. Check DKIM Status: Use the command Get-DkimSigningConfig | Format-List Name,Enabled,Status,Selector1CNAME,Selector2CNAME to verify the DKIM status of your domains. If your custom domain is not listed or is shown as CnameMissing, you will need to create the necessary CNAME records in your DNS.
3. Enable DKIM Signing: In the Defender portal, navigate to Email & collaboration > Policies & rules > Threat policies > Email authentication settings. Select the DKIM tab, choose your custom domain, and toggle the option to enable DKIM signing.

For DMARC, the recommended default value for a DMARC TXT record for domains that do not send mail is:

• Hostname: _dmarc
• TXT value: v=DMARC1; p=reject;

This configuration will help protect your domain from unauthorized use.

---

References:

• Set up DKIM to sign mail from your cloud domain
• DMARC TXT records for parked domains in Microsoft 365