diff --git a/defender-office-365/email-authentication-dkim-configure.md b/defender-office-365/email-authentication-dkim-configure.md index 23da19e7f2..3819bcca9a 100644 --- a/defender-office-365/email-authentication-dkim-configure.md +++ b/defender-office-365/email-authentication-dkim-configure.md @@ -5,7 +5,7 @@ f1.keywords: ms.author: chrisda author: chrisda manager: deniseb -ms.date: 04/14/2025 +ms.date: 06/19/2025 audience: ITPro ms.topic: how-to @@ -109,7 +109,23 @@ Points to address or value: selector2-._domainkey.**: The custom domain or subdomain with periods replaced by dashes. For example, `contoso.com` becomes `contoso-com`, or `marketing.contoso.com` becomes `marketing-contoso-com`. - **\**: The custom part of the \*.onmicrosoft.com you used to enroll in Microsoft 365. For example, if you used `contoso.onmicrosoft.com`, the value is `contoso`. -- **\**: A dynamically generated character that's used for both selectors. +- **\**: A dynamically generated character (for example, r or n) that's used for both selectors. The value is automatically assigned by Microsoft when you add a new custom domain and enable DKIM. The value is determined by Microsoft's internal routing logic and isn't configurable. + - This value is part of the updated DKIM record format for new custom domains in Microsoft 365 introduced in May 2025. Existing custom domains and initial domains continue to use the old DKIM format: + + ```text + Hostname: selector1._domainkey + Points to address or value: selector1-contoso-com._domainkey.contoso.onmicrosoft.com + + Hostname: selector2._domainkey + Points to address or value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com + ``` + + - **The old and new and old formats can't coexist for the same selector**. To retrieve the correct DKIM CNAME values for a domain, including the assigned \ value, replace contoso.com with the domain value, and then run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell): + + ```powershell + Get-DkimSigningConfig -Identity contoso.com | Format-List Name,Enabled,Status,Selector1CNAME,Selector2CNAME + ``` + - **v1**: The current CNAME format version that's used for both selectors. - **dkim.mail.microsoft**: The parent DNS zone that's the same for both selectors.