Update email-authentication-dkim-configure.md

chrisda · chrisda · commit b97b9e75ea04 · 2025-04-14T10:53:28.000-07:00
Acrolinx
diff --git a/defender-office-365/email-authentication-dkim-configure.md b/defender-office-365/email-authentication-dkim-configure.md
@@ -59,11 +59,11 @@ Before we get started, here's what you need to know about DKIM in Microsoft 365
 
   For more information about \*.onmicrosoft.com domains, see [Why do I have an "onmicrosoft.com" domain?](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain).
 
-- **If you use one or more custom domains for email (for example, contoso.com)**: Even though all outbound mail from Microsoft 365 is automatically signed by the MOERA domain, you still have more work to do for maximum email protection:
+- **If you use one or more custom domains for email (for example, contoso.com)**: Even though the MOERA domain signs all outbound mail from Microsoft 365, you still have more work to do for maximum email protection:
   - **Configure DKIM signing using custom domains or subdomains**: A message needs to be DKIM signed by the domain in the From address. We also recommend configuring DMARC, and DKIM passes DMARC validation only if the domain that DKIM signed the message and the domain in the From address align.
 
   - **Subdomain considerations**:
-    - For email services that aren't under your direct control (for example, bulk email services), we recommend using a subdomain (for example, marketing.contoso.com) instead of your main email domain (for example, contoso.com). You don't want issues with mail sent from those email services to affect the reputation of mail sent by employees in your main email domain. For more information about adding subdomains, see [Can I add custom subdomains or multiple domains to Microsoft 365?](/microsoft-365/admin/setup/domains-faq#can-i-add-custom-subdomains-or-multiple-domains-to-microsoft-365).
+    - For email services that aren't under your direct control (for example, bulk email services), we recommend using a subdomain (for example, marketing.contoso.com) instead of your main email domain (for example, contoso.com). You don't want issues with mail sent from those email services to affect the reputation of mail sent by users in your main email domain. For more information about adding subdomains, see [Can I add custom subdomains or multiple domains to Microsoft 365?](/microsoft-365/admin/setup/domains-faq#can-i-add-custom-subdomains-or-multiple-domains-to-microsoft-365).
     - Each subdomain that you use to send email from Microsoft 365 requires its own DKIM configuration.
 
       > [!TIP]
@@ -78,7 +78,7 @@ The rest of this article describes the DKIM CNAME records that you need to creat
 > [!TIP]
 > Configuring DKIM signing using a custom domain is a mixture of procedures in Microsoft 365 and procedures at the domain registrar of the custom domain.
 >
-> We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/Microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).
+> We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/Microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).
 >
 > If you're unfamiliar with DNS configuration, contact your domain registrar and ask for help.
 
@@ -143,7 +143,7 @@ You need to create two CNAME records in DNS in each custom domain, for a total o
 > [!TIP]
 > Enabling DKIM signing of outbound messages using a custom domain effectively switches DKIM signing from using the initial \*.onmicrosoft.com domain to using the custom domain.
 >
-> You can use a custom domain or subdomain to DKIM sign outbound mail only after the domain has been successfully added to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain).
+> You can use a custom domain or subdomain to DKIM sign outbound mail only after the domain is successfully added to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain).
 >
 > The main factor that determines when a custom domain starts DKIM signing outbound mail is the CNAME record detection in DNS.
 
@@ -197,7 +197,7 @@ Proceed if the domain satisfies these requirements.
 
 6. In another browser tab or window, go to the domain registrar for the domain, and then create the two CNAME records using the information from the previous step.
 
-   We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars.  You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/Microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).
+   We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/Microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).
 
    It takes a few minutes (or possibly longer) for Microsoft 365 to detect the new CNAME records that you created.
 
@@ -575,7 +575,7 @@ Use any of the following methods to verify DKIM signing of outbound email from M
      > The DKIM signature is omitted under either of the following conditions:
      >
      > - The sender and recipient email addresses are in the same domain.
-     > - The sender and recipient email addresses are in different domains that are controlled by the same organization.
+     > - The sender and recipient email addresses are in different domains controlled by the same organization.
      >
      > In both cases, the **DKIM-Signature** header field doesn't exist in the message header, and the **Authentication-Results** header field looks like the following example:
      >

Original file line number	Diff line number	Diff line change
`@@ -59,11 +59,11 @@ Before we get started, here's what you need to know about DKIM in Microsoft 365`
`59`	`59`
`60`	`60`	`For more information about \*.onmicrosoft.com domains, see [Why do I have an "onmicrosoft.com" domain?](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain).`
`61`	`61`
`62`		`-- If you use one or more custom domains for email (for example, contoso.com): Even though all outbound mail from Microsoft 365 is automatically signed by the MOERA domain, you still have more work to do for maximum email protection:`
	`62`	`+- If you use one or more custom domains for email (for example, contoso.com): Even though the MOERA domain signs all outbound mail from Microsoft 365, you still have more work to do for maximum email protection:`
`63`	`63`	`- Configure DKIM signing using custom domains or subdomains: A message needs to be DKIM signed by the domain in the From address. We also recommend configuring DMARC, and DKIM passes DMARC validation only if the domain that DKIM signed the message and the domain in the From address align.`
`64`	`64`
`65`	`65`	`- Subdomain considerations:`
`66`		- - For email services that aren't under your direct control (for example, bulk email services), we recommend using a subdomain (for example, marketing.contoso.com) instead of your main email domain (for example, contoso.com). You don't want issues with mail sent from those email services to affect the reputation of mail sent by employees in your main email domain. For more information about adding subdomains, see [Can I add custom subdomains or multiple domains to Microsoft 365?](/microsoft-365/admin/setup/domains-faq#can-i-add-custom-subdomains-or-multiple-domains-to-microsoft-365).
	`66`	+ - For email services that aren't under your direct control (for example, bulk email services), we recommend using a subdomain (for example, marketing.contoso.com) instead of your main email domain (for example, contoso.com). You don't want issues with mail sent from those email services to affect the reputation of mail sent by users in your main email domain. For more information about adding subdomains, see [Can I add custom subdomains or multiple domains to Microsoft 365?](/microsoft-365/admin/setup/domains-faq#can-i-add-custom-subdomains-or-multiple-domains-to-microsoft-365).
`67`	`67`	`- Each subdomain that you use to send email from Microsoft 365 requires its own DKIM configuration.`
`68`	`68`
`69`	`69`	`> [!TIP]`
`@@ -78,7 +78,7 @@ The rest of this article describes the DKIM CNAME records that you need to creat`
`78`	`78`	`> [!TIP]`
`79`	`79`	`> Configuring DKIM signing using a custom domain is a mixture of procedures in Microsoft 365 and procedures at the domain registrar of the custom domain.`
`80`	`80`	`>`
`81`		`-> We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/Microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).`
	`81`	`+> We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/Microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).`
`82`	`82`	`>`
`83`	`83`	`> If you're unfamiliar with DNS configuration, contact your domain registrar and ask for help.`
`84`	`84`
`@@ -143,7 +143,7 @@ You need to create two CNAME records in DNS in each custom domain, for a total o`
`143`	`143`	`> [!TIP]`
`144`	`144`	`> Enabling DKIM signing of outbound messages using a custom domain effectively switches DKIM signing from using the initial \*.onmicrosoft.com domain to using the custom domain.`
`145`	`145`	`>`
`146`		`-> You can use a custom domain or subdomain to DKIM sign outbound mail only after the domain has been successfully added to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain).`
	`146`	`+> You can use a custom domain or subdomain to DKIM sign outbound mail only after the domain is successfully added to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain).`
`147`	`147`	`>`
`148`	`148`	`> The main factor that determines when a custom domain starts DKIM signing outbound mail is the CNAME record detection in DNS.`
`149`	`149`
`@@ -197,7 +197,7 @@ Proceed if the domain satisfies these requirements.`
`197`	`197`
`198`	`198`	`6. In another browser tab or window, go to the domain registrar for the domain, and then create the two CNAME records using the information from the previous step.`
`199`	`199`
`200`		`- We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/Microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).`
	`200`	`+ We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/Microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider).`
`201`	`201`
`202`	`202`	`It takes a few minutes (or possibly longer) for Microsoft 365 to detect the new CNAME records that you created.`
`203`	`203`
`@@ -575,7 +575,7 @@ Use any of the following methods to verify DKIM signing of outbound email from M`
`575`	`575`	`> The DKIM signature is omitted under either of the following conditions:`
`576`	`576`	`>`
`577`	`577`	`> - The sender and recipient email addresses are in the same domain.`
`578`		`- > - The sender and recipient email addresses are in different domains that are controlled by the same organization.`
	`578`	`+ > - The sender and recipient email addresses are in different domains controlled by the same organization.`
`579`	`579`	`>`
`580`	`580`	`> In both cases, the DKIM-Signature header field doesn't exist in the message header, and the Authentication-Results header field looks like the following example:`
`581`	`581`	`>`