Can't Enable DKIM in Office 365

Copper Contributor

AOL, Yahoo, and Verizon (using the same email server) are now requiring that SPF, DKIM, and DMARC be enabled for emails sent to those addresses. I saw a report that Google will soon require this too. My problem is that to enable DKIM, I have to create 2 CNAME records. I have created these records on 4 accounts on 4 different providers. I have another account that actually works, but DKIM was enabled even without the CNAMES. I also passed the DMARC check on that account, so I know that I have managed to put in the correct entries in the CNAME records. But, I still get the error message about needing the CNAME records before enabling DKIM.

 

Another curiosity is that on none of my accounts can I detect CNAME records, even CNAMEs that were already there? What do I have to do to enable DKIM on these accounts (a total of 6 accounts on 4 different hosts)?

4 Replies

@Bob_HaveyD2DCS 

You mentioned that DKIM was already enabled without CNAME resource records.
Activating requires two CNAME records in an external DNS zone of the M365 custom domain, not an internal DNS zone. EXO checks the availability of the correct CNAME records before activation of DKIM.

 

What do the mean by "4 accounts on 4 different providers"?

There should only be one name server provider for the DNS records of a custom domain.

May be I am getting this wrong.

-Thomas 

 

 

@ThomasStensitzkiGRK   The DKIM being enabled on my own account could be a relic of a previous name server.  I moved the domain and website.  I do not remember enabling DKIM in the past.  If I can straighten the other accounts out, I will revisit my own accounts.

 

There a actually 6 accounts in question.  I "inherited" a couple of them.  I moved 2 of the accounts because the previous provider did not support an upgrade to the version of MySQL that I needed.  There are 2 accounts that I don't handle the website for, so I left them alone.  2 other accounts were at different providers when I took them over.  There was no reason to disrupt them.

 

I have managed to get DKIM and DMARC working on 2 of the accounts, it may be a question of patience on my part.

I am a little confused with what I am seeing on the Defender admin page. There seems to be 2 domains, but the format is not consistent. My account shows my domain and another one that says NETORGxxxxxxx.onmicrosoft.com. Another account shows the domain and domainroot.onmicrosoft.com. Where domainroot is the domain name without the ".com" extension.

The selectors for my account have NETORGxxxxxxx embedded in the "points to".
I think my previous post got lost. I apologize if I posted 2 versions of the same comment.

I managed get 5 out of my 6 email domains working. The 6th is a problem. The DKIM flyout on the Microsoft Defender page show 2 entries. The first entry is the domain itself. The second entry is the domain root with onmicrosoft.com appended.

The flyout for the onmicrosoft.com entry reports that DKIM is enabled and that it was last checked on March 13, 2024 10:56.34 AM (today). The flyout for the entry with just the domain name reports That DKIM is disabled and was last checked on March 9, 2016 10:56.34 (8 yeas ago). I suspect that this lack of a check is why I can’t enable DKIM on this account. Is there a way to force an updated check of this DNS?