How hard can it be?
Super hard, it turns out. But I hope this post will make it easier for you.
In order to produce some documentation for a client on setting up DKIM under Office365, I undertook to migrate a test domain of mine to Office365, and set it up. This way, I’d produce better documentation, having had personal, hands-on experience (and screenshots). How hard could it be?
Friends don’t let friends use non-working email addresses
First, I made a noob mistake, and bought my Office365 subscription with the email address I intended to use with it (i.e., a currently non-working email address). After my purchase, when I attempted to sign in, I received a mysterious error and was advised to “try again later”. Of course, not having a working email address, I wasn’t able to do an “account recovery” or reset my password in any way.
Fortunately, Safari had saved my (randomly generated) password to iCloud Keychain, and I was able to recover it and login the next day.
Second, to use DKIM, you need some DNS records added to your domain. Unlike SPF, which is relatively easy to setup on Office365, DKIM requires some mental gymnastics to identify what records to add.
Here’s the CNAMES I had to add to protect elpenguino.net:
selector1._domainkey --> selector1.selector1-elpenguino-net._domainkey.elpenguinonet.onmicrosoft.com selector1._domainkey --> selector2-elpenguino-net._domainkey.elpenguinonet.onmicrosoft.com
Part of the CNAME destination is my initial domain, and the other is the domainGUID. Neither match my actual domain.
So after I figured out the magic DNS records needed, I thought I’d be able to turn on DKIM signing, and get cracking. No. Turns out that for reasons unknown (but apparently rather common), to enable DKIM signing for my domain, I needed to break out some PowerShell.
Homebrew saved me, and with a quick
brew cask install powershell, I had a PowerShell CLI on my Macbook.
Assuming you’re in a similar situation, you’ll want to run the following commands via PowerShell:
Prepare to login:
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Do something else:
Import-PSSession $Session -DisableNameChecking
Enable DKIM signing for yourdomain.com:;
New-DkimSigningConfig -DomainName "yourdomain.com" -Enabled $true
Here’s my error-filled beginner’s attempt to drive PowerShell:
So, finally I can navigate to my Office365 Exchange Admin settings, and enable DKIM signing.
Best of luck to you, fair adventurer!
Header image courtesy of Dmitry Ulitin