As the first step we need to connect to our M365 Powershell. The last paragraph in this article describes how to do this.

The following command shows a comprehensive list of DKIM related information for domain “domain.com”:

Get-DkimSigningConfig -Identity domain.com | Format-List

If we just want to check the DKIM status of our domains we can use the following command:

Get-DkimSigningConfig

My example shows that DKIM is enabled for our Microsoft tenant domain but isn’t for our primary sending domain. Before we are able to enable DKIM for our sending domain we need to setup DNS records for verification:

Get-DkimSigningConfig -Identity domain.com | Format-List Selector1CNAME, Selector2CNAME

Now we need to set the CNAME records in our dns. Copy selector1 and create a new CNAME entry in your DNS settings. Repeat for selector2 (Destination is just an example, use the output generated in the previous step):

Host: selector1._domainkey
Destination: selector1-domain-com._domainkey.youronmicrosoftdomain.onmicrosoft.com

Host: selector2._domainkey
Destination: selector2-domain-com._domainkey.youronmicrosoftdomain.onmicrosoft.com

At this point we need to wait until the dns records have been propagated. Wait at least 10 – 15 minutes until you proceed. Chose on of the options below:

Option 1: Via Powershell

Open a Powershell session to your M365 tenant and type the following command:

Set-DkimSigningConfig -Identity domain.com -Enabled $true

Option 2: Via Security Admin center

• Login to M365 Admin center (https://admin.microsoft.com)
• Go to Security Admin center
• Go to Threat management -> Policy
• Click on DKIM
• Click on your domain
• Turn the disabled slider to enabled and save

Option 3: Via old Exchange Admin center

• Login to M365 Admin center (https://admin.microsoft.com)
• Go to Exchange Admin center
• Go to Classic Exchange admin center
• Go to Protection -> dkim
• Double click your sending domain and click on Enable

If you encounter an error in on of the above steps make sure that your DNS records are set properly. You can check the entries with the following command for Linux:

dig selector1._domainkey.domain.com
dig selector2._domainkey.domain.com

The output should include the CNAME entry for selector1/selector2 you created in your domain name settings. If you are using Windows you can use the following cmd command:

nslookup -q=CNAME selector1._domainkey.domain.com
nslookup -q=CNAME selector2._domainkey.domain.com

Both selectors must be correctly set before Microsoft allows you to enable DKIM for your domain. If both entries are correct wait another 15 -30 minutes and try to enable DKIM via one of the above options again.

Der Beitrag Howto enable DKIM in Microsoft 365 erschien zuerst auf MEB-IT | Blog.