2.1.9 Ensure that DKIM is enabled for all Exchange Online Domains


DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain.

DKIM lets an organization add a digital signature to outbound email messages in the message header. When DKIM is configured, the organization authorizes it's domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from this domain can use a digital signature to help verify whether incoming email is legitimate.

Use of DKIM in addition to SPF and DMARC to help prevent malicious actors using spoofing techniques from sending messages that look like they are coming from your domain.


By enabling DKIM with Office 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.


There should be no impact of setting up DKIM however, organizations should ensure appropriate setup to ensure continuous mail-flow.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To setup DKIM records, first add the following records to your DNS system, for each domain in Exchange Online that you plan to use to send email with:

For each accepted domain in Exchange Online, two DNS entries are required.

Host name:selector1._domainkey
Points to address or value:selector1-<domainGUID>._domainkey.<initialDomain>
Host name:selector2._domainkey
Points to address or value:selector2-<domainGUID>._domainkey.<initialDomain>

For Office 365, the selectors will always be selector1 or selector2.
domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:

contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com

The initial domain is the domain that you used when you signed up for Office 365. Initial domains always end in on microsoft.com.

After the DNS records are created, enable DKIM signing in Defender.

Navigate to Microsoft 365 Defender https://security.microsoft.com/

Expand Email & collaboration > Policies & rules > Threat policies.

Under Rules section click Email authentication settings.

Select DKIM

Click on each domain and click Enable next to Sign messages for this domain with DKIM signature.

To set DKIM is enabled, use the Exchange Online PowerShell Module:

Connect to Exchange Online service using Connect-ExchangeOnline.

Run the following Exchange Online PowerShell command:

Set-DkimSigningConfig -Identity < domainName > -Enabled $True

See Also


Item Details


References: 800-53|SC-7, CSCv7|7.8

Plugin: microsoft_azure

Control ID: 5c58e313d5647439274a954ef71bd21e70e8f4bcc5a7c529b50e40e4f0e8b54c