How to Set Up DKIM in Office 365: A Complete Guide
If you’re doing cold email in 2025 and you haven’t set up DKIM, you’re flying blind.
Here’s what happens without it:
❌ Your emails look fake
❌ They get flagged
❌ They land in spam — or never show up at all
DKIM (DomainKeys Identified Mail) is the one setting inside Office 365 or Google Workspace that tells inboxes:
“Hey, this email is real — and it’s actually from me.”
Set it up once.
Your open rates go up. Your reply rates go up. And spam folders stop eating your pipeline.
In this guide, I’ll show you how to set up DKIM in Office 365 step by step.
Let’s fix your deliverability.
What Is DKIM and Why Does It Matter?
DKIM (DomainKeys Identified Mail) is like a digital signature for your emails.
It proves the email was really sent by you, not some scammer pretending to be you.
Here’s what it does:
- 🖊️ It “signs” every email with a special key
- 📩 When your email hits Gmail or Outlook, they check the signature
- ✅ If it matches, it gets delivered
- ❌ If it doesn’t, it gets flagged or thrown into spam
Without DKIM?
Your emails look suspicious.
Even if they’re legit. Even if your copy is perfect.
But once it’s on?
You instantly build trust with inbox providers.
You avoid spoofing.
And most importantly, you boost your email deliverability.
Not sure if DKIM is working on your domain?
👉 Use the DKIM Checker — a free tool that tells you in seconds if your setup is good… or broken.
What You Need Before You Start
Before you touch anything, make sure you’ve got your setup in place.
Because halfway setups = half your emails landing in spam.
Here’s the short checklist:
- ✅ A custom domain has already been added and verified in Microsoft 365
- ✅ Admin access to both your Office 365 account and your DNS provider (like GoDaddy, Namecheap, or wherever your domain lives)
- ✅ Access to the Microsoft Defender portal — that’s where you’ll actually flip the switch for DKIM
📌 Doing this manually? You’ll need to set up SPF, DKIM, and DMARC records one by one in your DNS settings.
Use these free tools to avoid screwing it up:
- DKIM Generator — build correct DKIM records
- SPF Generator + DMARC Generator — complete the authentication trio
- CNAME Checker — double check if your DNS records are actually live
💡 Using Primeforge? You’re already ahead.
It automatically sets up DKIM, SPF, and DMARC — no copy-pasting records, no waiting on tech.
Just buy your Google or Microsoft mailboxes, and it’s ready to go.
Plug it into your sending tool and you’re live in under 30 minutes.
So yeah — either way works.
But only one doesn’t waste your time.
Step-by-Step: Setting Up DKIM in Office 365
Setting up DKIM in Office 365 sounds complicated.
It’s not — if you follow this in order.
Let’s get it done 👇
Step 1: Open the DKIM Settings in Microsoft Defender
Here’s how you find it:
Microsoft Defender →
Email & Collaboration →
Policies & Rules →
Threat Policies →
Email Authentication Settings → DKIM
🧠 Pro Tip: Just hit CTRL + F and search for “DKIM” inside the portal. It’ll save you time.
Once you’re in, you’ll see your domains listed — ready to be configured.
Step 2: Add the CNAME Records to Your DNS
Now we connect the dots between Office 365 and your domain.
You need to add two CNAME records wherever your DNS is managed (GoDaddy, Namecheap, Cloudflare, etc.).
Here’s the format you’ll use:
📌 Explanation:
- coldmailpros.com = your custom domain
- coldpros.onmicrosoft.com = your Microsoft 365 tenant domain
🕒 DNS propagation isn’t instant — it might take a few hours (sometimes longer) for these records to update.
Skip this step entirely if you’re using Primeforge
All mailboxes come with automated DNS setup — DKIM, SPF, and DMARC are pre-set.
You just log in, connect, and go.
Step 3: Flip the DKIM Switch in Defender
Back in the DKIM section of the Defender portal:
- Click on your domain
- Toggle: “Sign messages for this domain with DKIM signatures” → ON
Done.
❌ If you see an error like “CNAME records not found,” it just means DNS hasn’t fully propagated yet.
Wait a few hours and try again.
That’s it. DKIM is now active.
Emails from your domain are digitally signed and trusted by inboxes.
And if you don’t want to touch DNS ever again?
You know where to look — Primeforge.
How to Check if DKIM Works?
Setting up DKIM is one thing.
Knowing it’s actually working? That’s where most people mess up.
Here’s how to test it in under 2 minutes:
Step 1: Send Yourself a Test Email
Use the domain you just configured.
Send a fresh email to a Gmail account.
Step 2: Click “Show Original” in Gmail
- Open the email
- Click the 3-dot menu
- Select “Show Original”
This shows you the raw email headers.
Step 3: Look for These Signs
✅ DKIM-Signature:
This means your email was signed correctly.
✅ Authentication-Results: dkim=pass
This means Gmail trusts your domain.
❌ If either of these is missing, you likely have a DNS error or the records haven’t propagated yet.
⚠️ Common Mistake: Some users enable DKIM before DNS records are live — always wait at least 1–2 hours before flipping the switch.
Want to Double Check? Use These Tools
- ✅ Inbox Placement Test – See if your emails land in inbox or spam
- ✅ Email Deliverability Test – Full report on DKIM, SPF, blacklist status, and more
These tests take 30 seconds and can save your campaign.
If you're using a tool that handles DNS automation (like Primeforge), you’ll usually see dkim=pass from Day 1 — no manual setup or delays.
If you’re going the manual route, just make sure you double-check your records with the DKIM Checker.
What If You Manage Multiple Domains?
Running cold email across multiple domains?
Here’s the rule:
Every domain needs its own DKIM setup.
That means:
- ✅ 2 new CNAME records per domain
- ✅ Repeat the DKIM steps for each one
- ✅ Wait for DNS propagation (yes, every time)
And if you don’t track it?
You’ll forget which domains are live, which ones failed, and which ones are missing DKIM entirely.
Use a Simple Tracker
Keep a spreadsheet (or Notion table) with:
- Domain name
- Selector1 and Selector2 CNAMEs
- DKIM status (enabled/disabled)
- Date last verified
- Notes on propagation or issues
This one habit alone will save you hours — and dozens of missed emails.
Free Tools That Help With DKIM & Deliverability
If you're setting up multiple domains manually:
- DKIM Generator – get the correct DKIM values
- SPF Generator – handle SPF for each domain
- DMARC Generator – enforce proper policies
- DKIM Checker – test each domain before sending
- CNAME Checker – verify records are live
These are free. Fast. No excuses not to use them.
If You're Managing Multiple Domains at Scale
Doing this for a team, an agency, or across several brands?
Primeforge was built for that exact use case.
You get:
- ✅ Bulk mailbox setup
- ✅ Bulk DNS updates
- ✅ Automated DKIM, SPF, and DMARC across domains
- ✅ Clean inbox-ready mailboxes, prepped and verified
So instead of babysitting 20+ domain records manually, you just connect and go.
How to Set Up Domain & Mailbox for Cold Email?
Whether you’re managing 2 domains or 200 — track it, test it, and never assume it’s working until you’ve seen dkim=pass.
That’s the move.
Conclusion: You’ve Set Up DKIM. Now Set Yourself Up to Scale.
If you made it this far, you've done what most cold emailers don’t —
You actually secured your domain.
That single move puts you ahead of 80% of senders still wondering why their emails land in spam.
But let’s be honest:
🔧 You fixed one part of the machine.
📬 There’s still deliverability to manage.
📈 There’s still scale to unlock.
And if you’re planning to send serious volume — or run multiple domains across your team — doing everything manually won’t cut it.
That’s where Primeforge comes in.
- Google & Microsoft mailboxes made for cold email
- DKIM, SPF, and DMARC pre-configured
- Go live in 30 minutes — no guesswork, no DNS errors
So if you’re ready to stop fixing problems one by one…
And want to run outreach that just works?
👉 Start with Primeforge — and send with confidence.