Microsoft 365 How To Enable DKIM Using DKIM Manager PowerShell Script

DKIM Manger Download:

Or pull from GitHub here: DKIM Manager on GitHub

Everyone should be trying to improve their email security setup and using DKIM (Domain Keys Identified Mail). DKIM works by the sending server adding an encrypted version of the email header into the email. The recipient server can then look at your public DKIM keys published in DNS and decrypt the header and compare it to the original.

If they match then the recipient can be confident that the email did come from an authorised source which in this case will be Microsoft 365. Using DKIM, DMARC and SPF records together greatly improve the authority and deliverability of your emails since the recipient can be sure that your emails are being sent from a legitimate source and not spoofed or forged in some way.

To make setting up DKIM on Microsoft 365 domains easier I created this little tool I call DKIM Manager.

Simply open up a Powershell console by running it as administrator then cd to the location of the script.

In my case I type: cd c:\scripts

Then run the script typing: .\DKIMManager.ps1

DKIM Manager will install the required modules so press Y if asked to install the required modules.

After that you will be presented with this screen asking you to press any key and login to the tenant where you want to enable DKIM.

Once logged in you will need to select a domain to work with.

Press 1 and enter to enter the domain menu.

Select the domain you with to enable DKIM on and press enter.

In my case, email is being sent from darkscrolls.co.uk so I selection 2 and press enter.

Now we use option 2 to setup a new DKIM policy and retrieve the required DNS CNAME records needed to setup DKIM.

This is the best part of the script, it will tell you exactly what CNAME records you need to enter into DNS.

Add the two CNAME records into your domain. In my case the script tells me to create the following CNAME records.

Name: selector1._domainkey

Points to: selector1-DarkScrolls-co-uk._domainkey.darkscrolls.onmicrosoft.com

Name: selector2._domainkey

Points to: selector2-DarkScrolls-co-uk._domainkey.darkscrolls.onmicrosoft.com

Log into your domain name host and add the CNAME records.

Next in DKIM Manager use option 3 to enable DKIM.

You can see here a message that the DNS has not replicated yet so you may have to wait a few hours before you can enable DKIM. Come back and run the script again choosing option 3.

Once the DNS has replicated correctly the script will successfully enable DKIM on the domain.

Author: Ian@SlashAdmin

Share This Post On
468 ad


  1. holy crap, this is some sorcery!


    5 subdomains in one tenant…it’ll drive you mad trying to get those domainkeys correct.

    I rarely leave reviews or anything like this but this just saved some serious time for someone who sets up DKIM about twice a year (if that!)

    Thank you SO much!!

    Post a Reply
    • Thanks Paul and me too hence why I created this little script! Glad it helped someone out, it makes the effort well worth it 😀

      Post a Reply
  2. having trouble connecting domain name to the Manager

    Post a Reply
    • What error are you getting? You need to choose option 1 then select the domain from the list and press enter. Then that domain is selected ready for options 2 and 3.

      Send over an error and ill take a look.


      Post a Reply
  3. Hi, great script you did here.
    By the time of writing (02.Sept.2021) the activation doesn’t work anymore with Menu 3.
    It fails to check the DNS entries (even after 48h or more).
    Whether entries are correct or not, it tells the error ‘Please set the following CNAME records in your DNS. Wait 24 hours…’
    I’m afraid MS changed the behavior, because short time ago it still worked like a charm.

    You can still activate it manually on protection.office.com (Threat management > Policy > DKIM)

    Post a Reply

Submit a Comment

Your email address will not be published.