Situation

Emails sent from your M365 mailbox to Yahoo, AOL, or Gmail recipients are not getting delivered and you receive a bounce back message with the following information:


With new requirements coming from Yahoo, AOL, and Gmail. Custom domains using Microsoft 365 mail need added authentication to be received by these providers. 


Prerequisites

To enable DKIM, you will require the following:

  • Admin rights in Microsoft Defender, or a Global Admin account
  • Access to your domains DNS settings.


Obtaining DKIM records and applying them.

Applying DKIM is a process that can be done through the M365 admin portal.


  1. Login to security.microsoft.com and go to email & collaboration > Policies & Rules > Threat policies > Email authentication settings.


  2. Click on DKIM then select the domain you want to authenticate.


  3. It will show as disabled, click to enable, or Create DKIM keys.


  4. You will be shown the keys or this error which gives you the CNAME registries you will need to add to your DNS.


    DNS records syntax example

    Domain: cohovineyard.com
    M365 Initial Domain: cohovineyardandwinery.onmicrosoft.com
    MX Record: cohovineyard-com.mail.protection.outlook.com

    CNAME #1
    Host name: selector1._domainkey.cohovineyard.com
    Points to address or value: selector1-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com
    TTL: 3600

    CNAME #2
    Host name: selector2._domainkey.cohovineyard.com
    Points to address or value: selector2-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com
    TTL: 3600

  5. Once you have added these records to your domain and that they have fully propagated, return to the defender portal and Enable the DKIM signing.


 *This procedure must be done for each domain name that you own for which you send emails from.
You can also enable DKIM for the tenant’s default “***.onmicrosoft.com” domain name. You will however not have to create the CNAME records as they are created automatically by Microsoft.