How hard can it be?

Super hard, it turns out. But I hope this post will make it easier for you.

In order to produce some documentation for a client on setting up DKIM under Office365, I undertook to migrate a test domain of mine to Office365, and set it up. This way, I’d produce better documentation, having had personal, hands-on experience (and screenshots). How hard could it be?

Friends don’t let friends use non-working email addresses

First, I made a noob mistake, and bought my Office365 subscription with the email address I intended to use with it (i.e., a currently non-working email address). After my purchase, when I attempted to sign in, I received a mysterious error and was advised to “try again later”. Of course, not having a working email address, I wasn’t able to do an “account recovery” or reset my password in any way.

Fortunately, Safari had saved my (randomly generated) password to iCloud Keychain, and I was able to recover it and login the next day.

CNAME schenanigans

Second, to use DKIM, you need some DNS records added to your domain. Unlike SPF, which is relatively easy to setup on Office365, DKIM requires some mental gymnastics to identify what records to add.

Here’s the CNAMES I had to add to protect

selector1._domainkey -->
selector1._domainkey -->

Part of the CNAME destination is my initial domain, and the other is the domainGUID. Neither match my actual domain.

Powershell, much?

So after I figured out the magic DNS records needed, I thought I’d be able to turn on DKIM signing, and get cracking. No. Turns out that for reasons unknown (but apparently rather common), to enable DKIM signing for my domain, I needed to break out some PowerShell.

Homebrew saved me, and with a quick brew cask install powershell, I had a PowerShell CLI on my Macbook.

Assuming you’re in a similar situation, you’ll want to run the following commands via PowerShell:

Prepare to login: $UserCredential = Get-Credential

Actually login: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Do something else: Import-PSSession $Session -DisableNameChecking

Enable DKIM signing for; New-DkimSigningConfig -DomainName "" -Enabled $true

Here’s my error-filled beginner’s attempt to drive PowerShell:

Example PowerShell output

So, finally I can navigate to my Office365 Exchange Admin settings, and enable DKIM signing.

Best of luck to you, fair adventurer!

You’ve successfully subscribed to 🧑‍💻 Funky Penguin
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.