Publish two CNAME records for your custom domain in DNS

For each domain for which you want to add a DKIM signature in DNS, you need to publish two CNAME records. A CNAME record is used by DNS to specify that the canonical name of a domain is an alias for another domain name.

Office 365 performs automatic key rotation using the two records that you establish. If you have provisioned custom domains in addition to the initial domain in Office 365, you must publish two CNAME records for each additional domain. So, if you have two domains, you must publish two additional CNAME records, and so on.

Use the following format for the CNAME records.

Host name: selector1._domainkeyHost name: selector1._domainkeyPoints to address or value: selector1-<domainGUID>._domainkey.<initialDomain> TTL: 3600
Host name: selector2._domainkeyPoints to address or value: selector2-<domainGUID>._domainkey.<initialDomain> TTL: 3600

If you don’t know the format, then use Powershell command

 New-DkimSigningConfig -DomainName domainname -keysize 2048 -Enabled $true

It will show you below:

WARNING: The config was created but can't be enabled because the CNAME records aren't published. Publish the following two
 CNAME records, and then enable the config by using Set-DkimSigningConfig.
selector1-domainGUID._domainkey.<initialDomain>
selector2-domainGUID._domainkey.<initialDomain>

Copy the highlighted part to the value field of CNAME record.

Now you have two options to enable the DKIM:

  1. Exchange online
    Go to Protection > DKIM, select the domain name, and click enable in the right pane.
  2. Powershell command:
    Connect to Exchange online powershell : https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?redirectedfrom=MSDN&view=exchange-ps
    Three steps:

    • save credential to variable: $UserCredential = Get-Credential , then type your office 365 login ID and password.
    • Generate a session: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
      Notes:

      • For Office 365 operated by 21Vianet, use the ConnectionUri value: https://partner.outlook.cn/PowerShell
      • For Office 365 Germany, use the ConnectionUri value: https://outlook.office.de/powershell-liveid/
      • For Office 365 Government Community Cloud High (GCC High), use the ConnectionUri value: https://outlook.office365.us/powershell-liveid/
      • If you’re behind a proxy server, run this command first: $ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>, where the ProxyAccessTypevalue is IEConfig, WinHttpConfig, or AutoDetect.

        Then, add the following parameter and value to the end of the $Session = … command: -SessionOption $ProxyOptions.

    • Connect to the session: Import-PSSession $Session -DisableNameChecking , after your work, disconnect by Remove-PSSession $Session

Use Powershell to enable DKIM:

New-DkimSigningConfig -DomainName {Domain for which config is to be created} -KeySize 2048 -Enabled $True

Verify the info:

Get-DkimSigningConfig | fl