You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-office-365/email-authentication-dkim-configure.md
+17-16Lines changed: 17 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ f1.keywords:
5
5
author: chrisda
6
6
ms.author: chrisda
7
7
manager: bagol
8
-
ms.date: 06/19/2025
8
+
ms.date: 10/06/2025
9
9
audience: ITPro
10
10
ms.topic: how-to
11
11
@@ -51,15 +51,15 @@ Important facts about DKIM:
51
51
52
52
Before we get started, here's what you need to know about DKIM in Microsoft 365 based on your email domain:
53
53
54
-
-**If you use only the Microsoft Online Email Routing Address (MOERA) domain for email (for example, contoso.onmicrosoft.com)**: You don't need to do anything. Microsoft automatically creates a 2048-bit public-private key pair from your initial \*.onmicrosoft.com domain. Outbound messages are automatically DKIM signed using the private key. The public key is published in a DNS record so destination email systems can verify the DKIM signature of messages.
54
+
-**If you use only the Microsoft Online Email Routing Address (MOERA) domain for email (for example, contoso.onmicrosoft.com)**: You don't need to do anything. Outbound messages from senders in the contoso.onmicrosoft.com domainare automatically DKIM signed by the contoso.onmicrosoft.com domain.
55
55
56
56
But, you can also manually configure DKIM signing using the \*.onmicrosoft.com domain. For instructions, see the [Use the Defender portal to customize DKIM signing of outbound messages using the \*.onmicrosoft.com domain](#use-the-defender-portal-to-customize-dkim-signing-of-outbound-messages-using-the-onmicrosoftcom-domain) section later in this article.
57
57
58
-
To verify the fact that outbound messages are automatically DKIM signed, see the [Verify DKIM signing of outbound mail from Microsoft 365](#verify-dkim-signing-of-outbound-mail-from-microsoft-365) section later in this article.
58
+
To verify outbound messages from senders in the initial \*.onmicrosoft.com domain are DKIM signed, see the [Verify DKIM signing of outbound mail from Microsoft 365](#verify-dkim-signing-of-outbound-mail-from-microsoft-365) section later in this article.
59
59
60
60
For more information about \*.onmicrosoft.com domains, see [Why do I have an "onmicrosoft.com" domain?](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain).
61
61
62
-
-**If you use one or more custom domains for email (for example, contoso.com)**: Even though the MOERA domain signs all outbound mail from Microsoft 365, you still have more work to do for maximum email protection:
62
+
-**If you use one or more custom domains for email (for example, contoso.com)**: Currently, no DKIM signing occurs for outbound mail from custom domains, so you need to do the following steps for maximum email protection:
63
63
-**Configure DKIM signing using custom domains or subdomains**: A message needs to be DKIM signed by the domain in the From address. We also recommend configuring DMARC, and DKIM passes DMARC validation only if the domain that DKIM signed the message and the domain in the From address align.
64
64
65
65
-**Subdomain considerations**:
@@ -157,8 +157,6 @@ You need to create two CNAME records in DNS in each custom domain, for a total o
157
157
### Use the Defender portal to enable DKIM signing of outbound messages using a custom domain
158
158
159
159
> [!TIP]
160
-
> Enabling DKIM signing of outbound messages using a custom domain effectively switches DKIM signing from using the initial \*.onmicrosoft.com domain to using the custom domain.
161
-
>
162
160
> You can use a custom domain or subdomain to DKIM sign outbound mail only after the domain is successfully added to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain).
163
161
>
164
162
> The main factor that determines when a custom domain starts DKIM signing outbound mail is the CNAME record detection in DNS.
@@ -207,6 +205,15 @@ Proceed if the domain satisfies these requirements.
207
205
**Hostname**: `selector2._domainkey`<br>
208
206
**Points to address or value**: `selector2-contoso-com._domainkey.contoso.n-v1.dkim.mail.microsoft`
209
207
208
+
> [!TIP]
209
+
> As previously described in the [Syntax for DKIM CNAME records](#syntax-for-dkim-cname-records), your domain might require the old record syntax:
210
+
>
211
+
> Hostname: `selector1._domainkey`
212
+
> Points to address or value: `selector1-contoso-com._domainkey.contoso.onmicrosoft.com`
213
+
>
214
+
> Hostname: `selector2._domainkey`
215
+
> Points to address or value: `selector2-contoso-com._domainkey.contoso.onmicrosoft.com`
216
+
210
217
Copy the information from the error dialog (select the text and press CTRL+C), and then select **OK**.
211
218
212
219
Leave the domain details flyout open.
@@ -234,9 +241,7 @@ Proceed if the domain satisfies these requirements.
234
241
235
242
### Use the Defender portal to customize DKIM signing of outbound messages using the \*.onmicrosoft.com domain
236
243
237
-
As described earlier in this article, the initial \*.onmicrosoft.com domain is automatically configured to sign all outbound mail from your Microsoft 365 organization, and you should [configure custom domains to DKIM sign outbound messages](#use-the-defender-portal-to-enable-dkim-signing-of-outbound-messages-using-a-custom-domain).
238
-
239
-
But, you can also use the procedures in this section to affect DKIM signing using the \*.onmicrosoft.com domain:
244
+
As described earlier in this article, outbound mail from senders in the initial \*.onmicrosoft.com domain is automatically DKIM signed by the initial \*.onmicrosoft.com domain. But, you can use the procedures in this section to affect DKIM signing using the \*.onmicrosoft.com domain:
240
245
241
246
- Generate new keys. The new keys are automatically added and used in the Microsoft 365 datacenters.
242
247
- Have the properties of the \*.onmicrosoft.com domain appear correctly in the details flyout of the domain on the **DKIM** tab of the **Email authentication settings** page at <https://security.microsoft.com/authentication?viewid=DKIM> or in PowerShell. This result allows for future operations on the DKIM configuration for the domain (for example, [manual key rotation](#rotate-dkim-keys)).
@@ -279,12 +284,12 @@ Proceed if the domain satisfies these requirements.
279
284
280
285
### Use Exchange Online PowerShell to configure DKIM signing of outbound messages
281
286
282
-
If you'd rather use PowerShell to enable DKIM signing of outbound messages using a custom domain, or to customize DKIM signing for the \*.onmicrosoft.com domain, connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to run the following commands.
287
+
If you'd rather use PowerShell to enable DKIM signing of outbound messages using a custom domain, or to customize DKIM signing for the initial \*.onmicrosoft.com domain, connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to run the following commands.
283
288
284
289
> [!TIP]
285
290
> Before you can configure DKIM signing using the custom domain, you need to add the domain to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain). To confirm that the custom domain is available for DKIM configuration, run the following command: `Get-AcceptedDomain`.
286
291
>
287
-
> As described earlier in this article, your \*.onmicrosoft.com domain is already signing outbound email by default. Typically, unless you manually configured DKIM signing for the \*.onmicrosoft.com domain in the Defender portal or in PowerShell, the \*.onmicrosoft.com doesn't appear in the output of **Get-DkimSigningConfig**.
292
+
> As described earlier in this article, your \*.onmicrosoft.com domain is already signing outbound email from senders in the \*.onmicrosoft.com by default. Typically, unless you manually configured DKIM signing for the \*.onmicrosoft.com domain in the Defender portal or in PowerShell, the \*.onmicrosoft.com doesn't appear in the output of **Get-DkimSigningConfig**.
288
293
289
294
1. Run the following command to verify the availability and DKIM status of all domains in the organization:
290
295
@@ -358,7 +363,7 @@ If you'd rather use PowerShell to enable DKIM signing of outbound messages using
358
363
359
364
It takes a few minutes (or possibly longer) for Microsoft 365 to detect the new CNAME records that you created.
360
365
361
-
- **\*.onmicrosoft.com domain**: Go to Step 5.
366
+
- **\*.onmicrosoft.com domain**: Go to the next step.
362
367
363
368
5. After a while, return to Exchange Online PowerShell, replace \<Domain\> with the domain that you configured, and run the following command:
364
369
@@ -505,10 +510,6 @@ For detailed syntax and parameter information, see the following articles:
505
510
506
511
## Disable DKIM signing of outbound messages using a custom domain
507
512
508
-
As described earlier in this article, enabling DKIM signing of outbound messages using a custom domain effectively switches DKIM signing from using the \*.onmicrosoft.com domain to using the custom domain.
509
-
510
-
When you disable DKIM signing using a custom domain, you aren't completely disabling DKIM signing for outbound mail. DKIM signing eventually switches back to using the \*.onmicrosoft domain.
511
-
512
513
### Use the Defender portal to disable DKIM signing of outbound messages using a custom domain
513
514
514
515
1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**\>**Policies & rules**\>**Threat policies**\>**Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>.
Copy file name to clipboardExpand all lines: defender-office-365/tenant-allow-block-list-teams-domains-configure.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ ms.collection:
15
15
- tier1
16
16
description: Admins can learn how to block domains in Microsoft Teams using the Tenant Allow/Block List.
17
17
ms.service: defender-office-365
18
-
ms.date: 08/04/2025
18
+
ms.date: 10/06/2025
19
19
appliesto:
20
20
- ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
21
21
- ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -53,7 +53,7 @@ This article describes how security admins can manage entries for blocked domain
53
53
54
54
- Block entries for domains in Teams never expire.
55
55
56
-
- An entry should be active within 5 minutes.
56
+
- An entry should be active within 24 hours.
57
57
58
58
- You need to be assigned permissions before you can do the procedures in this article. You have the following options:
59
59
-[Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**<sup>\*</sup>, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions *and* permissions for other features in Microsoft 365.
![m365-skilling-repo-management[bot]](https://avatars.githubusercontent.com/in/1161012?v=4&size=40){kind=avatar}
0 commit comments