DomainKeys Identified Mail SHOULD Be Enabled
Description
DomainKeys Identified Mail (DKIM) allows digital signatures to be added to email messages in the message header, providing a layer of both authenticity and integrity to emails. As with SPF, DKIM relies on DNS records; thus, its deployment depends on how an organization manages its DNS. DKIM is enabled for the tenant’s default domain (e.g., on microsoft.com domains), but it must be manually enabled for custom domains.
Policy
DKIM SHOULD be enabled for any custom domain.
Licensing Considerations
DKIM signing is included with Exchange Online Protection (EOP), which is included in all Microsoft 365 subscriptions that contain Exchange Online mailboxes.
Set Up Instructions
How to use DKIM for email in your custom domain - Office 365 | Microsoft Learn
How Sender Policy Framework (SPF) prevents spoofing - Office 365 | Microsoft Learn
To enable DKIM, follow the instructions listed on Steps to Create, enable and disable DKIM from Microsoft 365 Defender portal | Microsoft Docs.
Navigate to the Microsoft 365 Defender admin center.
Go to Policies & Rules.
Go to Threat Policies.
Select DKIM.
Select your domain.
Switch Sign messages for this domain with DKIM signatures to Enabled.
If you are enabling DKIM for the first time, a pop-up window listing Canonical Name (CNAME) records displays. Publish these records to your DNS service provider.
Return to the DKIM page on the Defender admin center to finish enabling DKIM.
End-User Impact
Level: Low
While there is no direct impact to end-users, they should experience better outbound mail flow delivery with DKIM in place.
Tips
None Currently
PowerShell Scripts
None Currently
Videos
Last updated