Summary
Addressing DKIM alignment errors and configuring DKIM for a custom domain in Microsoft 365 primarily involves ensuring the 'From' address domain matches the domain used for DKIM signing. This often requires configuring O365 to sign with your domain instead of the default 'onmicrosoft.com', using a corresponding private key, and verifying domain ownership. Tools like EasyDMARC can help with the configuration process. For SPF, including 'spf.mtasv.net' is generally unnecessary for Mailchimp because they use their own domain. When including third-party services in your SPF record, it’s crucial to assess their sending practices against your domain's security policies and avoid blindly including them. Regular key rotation and correct DNS record syntax are also essential. Key concepts include verifying the DKIM selector, understanding that the 'd=' tag in the DKIM signature must match the 'From:' header, and ensuring proper DNS propagation. Common errors include incorrect DNS syntax, propagation delays, and subdomain misalignments.
Key findings
- DKIM Alignment: The DKIM signature domain must match the 'From' address domain; verify the DKIM selector.
- O365 Configuration: Configure O365 to sign with your custom domain and private key, and verify domain ownership.
- SPF and Mailchimp: Including 'spf.mtasv.net' is generally unnecessary for Mailchimp, as they use their own domain.
- DNS Propagation: Ensure DKIM and SPF records are properly propagated; use DNS lookup tools to verify.
- Key Rotation: Regularly rotate DKIM keys to maintain security.
- Common DKIM Errors: Watch out for incorrect DNS record syntax, propagation delays, and subdomain alignment issues.
Key considerations
- Domain Verification: Ensure domain ownership is verified in Microsoft 365.
- Third-Party Assessment: Assess third-party sending practices before including them in SPF records.
- DNS Syntax: Double-check DNS record syntax for typos and correctness.
- SPF Management: Avoid multiple SPF records and use 'include:' statements carefully.
- Key Length Selection: Use appropriate DKIM key lengths, such as 1024-bit or 2048-bit, based on security needs.
What email marketers say
9 marketer opinions
Fixing DKIM alignment errors in Microsoft 365 involves ensuring the domain used for DKIM signing matches the 'From' address domain. Proper configuration includes generating DKIM records, enabling DKIM in the Microsoft 365 admin center, and verifying DNS propagation. Common issues include incorrect DNS syntax, propagation delays, and subdomain misalignments. For SPF records and services like Mailchimp, it's crucial to review their specific SPF documentation and understand whether their servers need to be included in your SPF record, but blindly including third-party services should be approached with caution. Tools like DNS lookup can help verify correct setup.
Key opinions
- DKIM Alignment: DKIM alignment requires that the domain in the DKIM signature ('d=' tag) matches the domain in the 'From' address of the email.
- Microsoft 365 Configuration: Configuring DKIM for a custom domain in Microsoft 365 involves generating DKIM records, enabling DKIM signing, and verifying DNS settings.
- DNS Propagation: Ensure that DNS records are properly propagated, and allow sufficient time for DNS changes to take effect after making updates.
- SPF Records: When using third-party services like Mailchimp, review their SPF documentation to determine if you need to include their servers in your SPF record. The include:spf.mtasv.net may or may not be required - check with Mailchimp.
- Common Errors: Common DKIM errors include incorrect DNS record syntax, propagation delays, and alignment issues with subdomains.
Key considerations
- Domain Verification: Verify domain ownership within Microsoft 365 before configuring DKIM to avoid initial setup issues.
- Subdomain Alignment: When using subdomains, ensure the 'From' address aligns with the domain used in the DKIM signature to prevent alignment issues.
- Third-Party Services: Carefully evaluate the SPF requirements for third-party email services and avoid blindly including services without understanding their sending practices.
- Record Syntax: Double-check the DKIM record for typos and ensure correct DNS record syntax to prevent authentication failures.
- SPF Record Management: Avoid having multiple SPF records; use 'include:' statements to incorporate other services into a single SPF record to avoid issues.
Marketer view
Email marketer from Super User suggests that DKIM alignment issues can occur when using subdomains. The 'From' address must align with the domain used in the DKIM signature. Ensuring consistent domain usage across email headers and DKIM settings can prevent alignment problems.
15 Oct 2024 - Super User
Marketer view
Email marketer from Email on Acid mentions that common DKIM errors include incorrect DNS record syntax and propagation delays. They advise double-checking the DKIM record for typos and waiting for the changes to propagate fully before testing.
12 Nov 2021 - Email on Acid
What the experts say
4 expert opinions
Addressing DKIM alignment issues and configuring DKIM signing for custom domains in Microsoft 365 involves verifying domain ownership and ensuring the O365 instance signs with your domain using a corresponding private key. The onmicrosoft.com signing is a common source of problems. Regarding SPF records, specifically including spf.mtasv.net for Mailchimp, it's often unnecessary as Mailchimp uses its own domain in the 5321.from address. When including third-party domains in SPF, it's crucial to evaluate their sending practices against your domain's security policies instead of blindly including them.
Key opinions
- DKIM Alignment Issue: DKIM alignment issues often occur when the O365 instance signs with 'onmicrosoft.com' instead of the custom domain.
- O365 Configuration: Configuring O365 to use your custom domain and private key for signing is essential for fixing DKIM alignment.
- Domain Ownership: Incorrect domain ownership verification can lead to DKIM alignment problems; verify your domain in Microsoft 365.
- SPF & Mailchimp: Including 'spf.mtasv.net' in your SPF record is generally unnecessary for Mailchimp since they use their own domain in the 5321.from address.
- Third-Party SPF Inclusion: Evaluate third-party sending practices against your domain's security policies before including their domains in your SPF record.
Key considerations
- Private Key Management: Ensure proper management and configuration of the private key associated with your custom domain in O365.
- Security Policy Alignment: Assess whether a third-party's sending practices align with your domain's security policies before including them in your SPF record.
- Testing & Verification: Thoroughly test and verify DKIM and SPF configurations after making changes to ensure proper functionality.
- SPF 'include' Usage: Use the 'include:' mechanism in SPF records judiciously and understand the implications of delegating SPF authorization.
Expert view
Expert from Word to the Wise answers explains that the 'include:' mechanism in SPF records allows you to delegate SPF authorization to another domain. When considering whether to include a service like Mailchimp, you need to evaluate if their sending practices align with your domain's security policies. While they don't specifically mention 'spf.mtasv.net', they suggest being cautious about blindly including third-party domains without understanding their sending infrastructure.
14 Jan 2024 - Word to the Wise
Expert view
Expert from Spam Resource explains that DKIM alignment issues often stem from incorrect domain ownership verification. Ensuring that your domain is properly verified within Microsoft 365 is crucial before configuring DKIM. This involves adding specific DNS records provided by Microsoft to prove ownership.
28 Dec 2024 - Spam Resource
What the documentation says
3 technical articles
To use DKIM with a custom domain in Microsoft 365, you need to create DKIM DNS records and enable DKIM signing through the Microsoft 365 Defender portal or PowerShell. Microsoft recommends using two 1024-bit keys or upgrading to 2048-bit keys for enhanced security. Key rotation is also crucial, involving generating new keys, updating DNS records, and activating the new key. For Mailchimp, SPF records authorize specific servers to send emails on behalf of your domain, but including `spf.mtasv.net` isn't explicitly mentioned and may not be necessary; including Mailchimp's servers might be required instead.
Key findings
- DKIM Setup in Microsoft 365: Using DKIM with a custom domain in Microsoft 365 requires creating DKIM DNS records and enabling signing via the Defender portal or PowerShell.
- DKIM Key Security: Microsoft advises using two 1024-bit keys or transitioning to 2048-bit keys for enhanced DKIM security.
- DKIM Key Rotation: Rotating DKIM keys involves generating new keys, updating DNS records, and activating the new key for signing to maintain email authentication.
- SPF and Mailchimp: SPF records authorize specific servers for your domain, but `include:spf.mtasv.net` might not be needed for Mailchimp; including Mailchimp's own servers might be necessary.
Key considerations
- Key Length Selection: Choose an appropriate DKIM key length (1024-bit or 2048-bit) based on security requirements and compatibility.
- Regular Key Rotation: Implement a process for regular DKIM key rotation to ensure continued email authentication and security.
- SPF Record Accuracy: Ensure your SPF records accurately reflect authorized sending servers, including those for Mailchimp if required, but avoid including unnecessary entries like `spf.mtasv.net` if not specified by Mailchimp.
- DNS Record Updates: When making changes to DKIM or SPF records, update DNS records promptly and allow sufficient time for propagation.
Technical article
Documentation from Microsoft Learn outlines how to rotate DKIM keys in Microsoft 365. It covers generating new DKIM keys, updating DNS records, and activating the new key for signing. Proper key rollover ensures continued email authentication without interruption.
26 Mar 2025 - Microsoft Learn
Technical article
Documentation from Microsoft Learn explains that to use DKIM with a custom domain in Microsoft 365, you must create DKIM DNS records. They advise using two 1024-bit keys or moving to 2048-bit keys for enhanced security. It details the steps to enable DKIM signing for your custom domain within the Microsoft 365 Defender portal or via PowerShell.
2 Jun 2025 - Microsoft Learn
Are DMARC RUA and RUF tags mandatory for compliance and what are their benefits?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do I need to include Mailchimp's SPF record in my domain's SPF if Mailchimp handles the bounce address?
How can I improve SPF alignment and email deliverability when using Hubspot?
How can I resolve DMARC verification failures when using a subdomain for email sending?
How do I fix DKIM failing body hash verification?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up DKIM on G Suite for outgoing mail, especially when using multiple email services?
