Set up DKIM Records and SigningLast Updated: October 18, 2019
DomainKeys creates signatures in messages sent from your organization that can be used to help prevent spoofed messages from being sent and/or received. We need a couple of pieces of information to create the correct DNS records for a client domain.
Create DNS Records:
In order to create the necessary DNS records for DKIM, we must first determine the Domain, DomainGUID, and InitialDomain that is being used.
Domain: The domain used to send email (i.e. protectedtrust.com)
DomainGUID: Perform an MX lookup on the domain, the DomainGUID is the portion of the domain before mail.protection.office.com (i.e. protectedtrust-com) unless they are using third-party antispam, otherwise we can look it up in the Office 365 admin center http://portal.office.com under Setup > Domains.
InitialDomain: This is the tenant "onmicrosoft.com" domain. To determine this, log in to the Office 365 admin center and go to Setup > Domains in order to find it (i.e. Elephantoutlookllc.onmicrosoft.com)
Use these values to generate the two CNAME values listed below:
- CNAME: selector1._domainkey.Domain POINTS TO selector1-DomainGUID._domainkey.InitialDomain
CNAME: selector2._domainkey.Domain POINTS TO selector2-DomainGUID._domainkey.InitialDomain
For example: the first correctly formatted CNAME for protectedtrust.com would be:
CNAME: selector1._domainkey.protectedtrust.com POINTS TO selector1-protectedtrust-com._domainkey.elephantoutlookllc.onmicrosoft.com
We can test that we're pointing to the correct address by checking DNS for the "points to" address, which should resolve a TXT record that returns something like "v=DKIM1; k=rsa; p=BIG STRING OF LETTERS; n = 1024,1461444703,1"
Once the CNAME record is published, we can test that the CNAME is created correctly by checking DNS for the CNAME records, which should then point to the correct TXT record.