Skip to content

Commit 401a86a

Browse files
chrisdachrisda
authored
Update email-authentication-dkim-configure.md
1 parent 7fa3d5a commit 401a86a

File tree

1 file changed

+17
-13
lines changed

1 file changed

+17
-13
lines changed

defender-office-365/email-authentication-dkim-configure.md

Lines changed: 17 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ f1.keywords:
55
ms.author: chrisda
66
author: chrisda
77
manager: deniseb
8-
ms.date: 04/14/2025
8+
ms.date: 06/19/2025
99
audience: ITPro
1010
ms.topic: how-to
1111

@@ -109,18 +109,22 @@ Points to address or value: selector2-<CustomDomainWithDashes>._domainkey.<Initi
109109
- **Hostname**: The values are the same for all Microsoft 365 organizations: `selector1._domainkey` and `selector2._domainkey`.
110110
- **\<CustomDomainWithDashes\>**: The custom domain or subdomain with periods replaced by dashes. For example, `contoso.com` becomes `contoso-com`, or `marketing.contoso.com` becomes `marketing-contoso-com`.
111111
- **\<InitialDomainPrefix\>**: The custom part of the \*.onmicrosoft.com you used to enroll in Microsoft 365. For example, if you used `contoso.onmicrosoft.com`, the value is `contoso`.
112-
- **\<DynamicPartitionCharacter\>**: A dynamically generated character that's used for both selectors such as .r, .n, or other suffixes,The value is automatically assigned by Microsoft when a new custom domain is added and DKIM is enabled.
113-
This character is part of the updated DKIM record format introduced for newly added custom domains in Microsoft 365 at the time the custom domain is added and DKIM is enabled in Microsoft 365
114-
115-
Existing domains and initial tenant domains continue using the older .onmicrosoft.com format.
116-
117-
The character is determined by Microsoft’s internal routing logic and is not configurable.
118-
119-
To retrieve the correct DKIM CNAME values including the assigned <DynamicPartitionCharacter>, you should run the following PowerShell command:
120-
121-
Get-DkimSigningConfig -Identity yourdomain.com | Format-List Name,Enabled,Status,Selector1CNAME,Selector2CNAME
122-
123-
Now you have the values that must be published in your DNS, including the dynamic partition character
112+
- **\<DynamicPartitionCharacter\>**: A dynamically generated character (for example, r or n) that's used for both selectors. The value is automatically assigned by Microsoft when you add a new custom domain and enable DKIM. The value is determined by Microsoft's internal routing logic and isn't configurable.
113+
- This value is part of the updated DKIM record format for new custom domains in Microsoft 365 introduced in May 2025. Existing custom domains and initial domains continue to use the old DKIM format:
114+
115+
```text
116+
Hostname: selector1._domainkey
117+
Points to address or value: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
118+
119+
Hostname: selector2._domainkey
120+
Points to address or value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com
121+
```
122+
123+
- **The old and new and old formats can't coexist for the same selector**. To retrieve the correct DKIM CNAME values for a domain, including the assigned \<DynamicPartitionCharacter\> value, replace contoso.com with the domain value, and then run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):
124+
125+
```powershell
126+
Get-DkimSigningConfig -Identity contoso.com | Format-List Name,Enabled,Status,Selector1CNAME,Selector2CNAME
127+
```
124128
125129
- **v1**: The current CNAME format version that's used for both selectors.
126130
- **dkim.mail.microsoft**: The parent DNS zone that's the same for both selectors.

0 commit comments

Comments
 (0)