howTo: Add Your DKIM Record Generated by Microsoft 365 and Google Workspace

So we have learned what a DKIM record is and that it is an email authentication method that uses a digital signature to let the receiving email server know that the message was sent and authorized by your domain. Let us now look deeper into how it can impemented on your own for free.

The following steps are available in Google's and Microsoft's official documentation and are provided here for context only. For more details please refer to Google's and Microsoft's official documentation.

This howTo: guide assumes that you have already completed your domain verification.

Option 1: Using Google Workspace

1. Log in to the Google Admin Console.
2. Navigate to Apps > Google Workspace > Gmail > Authenticate Email.
3. Select your domain and click "Generate new record."
   1. Key length:
      1. Select 2048-bit if your domain supports enhanced security(confirm with your domain registrar or DNS hosting provider).
      2. if not supported, then choose 1024-bit
   2. Prefix selector:
      1. This is "google" by default
      2. If this is already used you may change to unique prefix of your choice. Be sure to document this somewhere to keep track of your changes.
   3. Generate your DKIM key pair by clicking "Generate".
4. Adding Your Generated DKIM Public Key to your DNS
   1. After generating your DKIM Keys you will receive:
      1. DNS Hostname (TXT record name): Typically in the format google._domainkey.yourdomain.com.
      2. TXT Record Value: The public DKIM key string.
   2. Access Domain DNS Settings:Log in to your domain registrar's control panel.Navigate to the DNS management section.
   3. Create a New TXT Record:Type: TXTName/Host: Enter the DNS Hostname provided (e.g., google._domainkey).Value/Text: Paste the TXT Record Value (the public key).TTL: Set to 3600 seconds (1 hour) or use the default value.
   4. Save Changes:Save the new TXT record.DNS propagation can take up to 48 hours.
5. Activate DKIM Signing in Google Workspace
   1. Return to Admin Console:
      1. After allowing time for DNS propagation, go back to Apps > Google Workspace > Gmail > Authenticate email.
   2. Select Domain:
      1. Choose the domain you configured.
      2. The status should update to Authenticating email with DKIM.
6. Verify DKIM Configuration
   1. Send a Test Email:
      1. Send an email from your domain to a Gmail or Google Workspace account.
   2. Check Email Headers:
      1. In the recipient's Gmail account, open the email.
      2. Click the three vertical dots (More) next to the Reply button and select Show original.
      3. Look for the Authentication-Results header.
         1. A successful setup will display dkim=pass or dkim=ok.
7. Monitor and Maintain
   1. Regular Key Rotation:
      1. For enhanced security, consider rotating your DKIM keys annually.
   2. Monitor Email Deliverability:
      1. Keep an eye on your email deliverability and watch for any authentication issues.

Option 2: Using Microsoft 365

1. Access the Microsoft 365 Defender Portal
   1. Sign In: Log in to the Microsoft 365 Defender portal with your admin credentials.
   2. Navigate to DKIM Settings:
      1. In the left-hand navigation pane, expand Email & Collaboration.
      2. Click on Policies & Rules.
      3. Select Threat Policies.
      4. Under Email Authentication Settings, choose the DKIM tab.

2. Generate DKIM Keys

1. Select Domain: In the DKIM page, select the domain for which you want to enable DKIM.
2. Create DKIM Keys:
   1. Click on Create DKIM keys.
   2. Microsoft 365 will generate two CNAME records for your domain.

3. Add CNAME Records to Your DNS

1. Access DNS Management: Log in to your domain registrar's control panel to manage DNS records.
2. Create CNAME Records:
   1. Record 1:
      1. Name: selector1._domainkey.yourdomain.com
      2. Value: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
   2. Record 2:
      1. Name: selector2._domainkey.yourdomain.com
      2. Value: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
   3. Replace yourdomain.com with your actual domain name.
3. Save Changes: After adding the CNAME records, save your DNS settings. Note that DNS propagation can take up to 48 hours.

4. Enable DKIM in Microsoft 365

1. Return to DKIM Settings: After allowing time for DNS propagation, go back to the DKIM settings in the Microsoft 365 Defender portal.
2. Select Domain: Choose the domain you configured.
3. Enable DKIM:
   1. Click on Enable to start signing outgoing messages with DKIM for the selected domain.

5. Verify DKIM Configuration

1. Send a Test Email: Send an email from your domain to an external email account (e.g., Gmail).
2. Check Email Headers:
   1. In the recipient's email client, view the email headers.
   2. Look for the Authentication-Results header.
      1. A successful setup will display dkim=pass or dkim=ok.

6. Monitor and Maintain

1. Regular Key Rotation: For enhanced security, consider rotating your DKIM keys periodically.
2. Monitor Email Deliverability: Keep an eye on your email deliverability and watch for any authentication issues.

In another article soon to be published, we will look into generating your DKIM keys using a third party tool if you have or want to have your own email server instead of using Microsoft 365 or Google Workspace.

We Value Your Feedback!
Have you implemented using our guide?
We'd love to hear about your experience! Share your success stories, challenges, or suggestions at . Let us know if there are specific improvements you'd like to see in our guide!

Have Questions?
If you have any questions or need clarifications, don't hesitate to reach out to us at . We're here to help you secure your systems.

Thank you for helping us improve and supporting our mission to make cybersecurity accessible for everyone!