Enabling DKIM on Office365 is easy (as bathing a cat)

How hard can it be?

Super hard, it turns out. But I hope this post will make it easier for you.

In order to produce some documentation for a client on setting up DKIM under Office365, I undertook to migrate a test domain of mine to Office365, and set it up. This way, I’d produce better documentation, having had personal, hands-on experience (and screenshots). How hard could it be?

Friends don’t let friends use non-working email addresses

First, I made a noob mistake, and bought my Office365 subscription with the email address I intended to use with it (i.e., a currently non-working email address). After my purchase, when I attempted to sign in, I received a mysterious error and was advised to “try again later”. Of course, not having a working email address, I wasn’t able to do an “account recovery” or reset my password in any way.

Fortunately, Safari had saved my (randomly generated) password to iCloud Keychain, and I was able to recover it and login the next day.

CNAME schenanigans

Second, to use DKIM, you need some DNS records added to your domain. Unlike SPF, which is relatively easy to setup on Office365, DKIM requires some mental gymnastics to identify what records to add.

Here’s the CNAMES I had to add to protect elpenguino.net:

selector1._domainkey --> selector1.selector1-elpenguino-net._domainkey.elpenguinonet.onmicrosoft.com
selector1._domainkey --> selector2-elpenguino-net._domainkey.elpenguinonet.onmicrosoft.com

Part of the CNAME destination is my initial domain, and the other is the domainGUID. Neither match my actual domain.

Powershell, much?

So after I figured out the magic DNS records needed, I thought I’d be able to turn on DKIM signing, and get cracking. No. Turns out that for reasons unknown (but apparently rather common), to enable DKIM signing for my domain, I needed to break out some PowerShell.

Homebrew saved me, and with a quick brew cask install powershell, I had a PowerShell CLI on my Macbook.

Assuming you’re in a similar situation, you’ll want to run the following commands via PowerShell:

  1. Prepare to login: $UserCredential = Get-Credential

  2. Actually login: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

  3. Do something else: Import-PSSession $Session -DisableNameChecking

  4. Enable DKIM signing for yourdomain.com:; New-DkimSigningConfig -DomainName "yourdomain.com" -Enabled $true

Here’s my error-filled beginner’s attempt to drive PowerShell:

Example PowerShell output

So, finally I can navigate to my Office365 Exchange Admin settings, and enable DKIM signing.

Best of luck to you, fair adventurer!

Header image courtesy of unsplash-logo Dmitry Ulitin


© 2019. All rights reserved.