Addressing DKIM alignment errors and configuring DKIM for a custom domain in Microsoft 365 primarily involves ensuring the 'From' address domain matches the domain used for DKIM signing. This often requires configuring O365 to sign with your domain instead of the default 'onmicrosoft.com', using a corresponding private key, and verifying domain ownership. Tools like EasyDMARC can help with the configuration process. For SPF, including 'spf.mtasv.net' is generally unnecessary for Mailchimp because they use their own domain. When including third-party services in your SPF record, it’s crucial to assess their sending practices against your domain's security policies and avoid blindly including them. Regular key rotation and correct DNS record syntax are also essential. Key concepts include verifying the DKIM selector, understanding that the 'd=' tag in the DKIM signature must match the 'From:' header, and ensuring proper DNS propagation. Common errors include incorrect DNS syntax, propagation delays, and subdomain misalignments.
9 marketer opinions
Fixing DKIM alignment errors in Microsoft 365 involves ensuring the domain used for DKIM signing matches the 'From' address domain. Proper configuration includes generating DKIM records, enabling DKIM in the Microsoft 365 admin center, and verifying DNS propagation. Common issues include incorrect DNS syntax, propagation delays, and subdomain misalignments. For SPF records and services like Mailchimp, it's crucial to review their specific SPF documentation and understand whether their servers need to be included in your SPF record, but blindly including third-party services should be approached with caution. Tools like DNS lookup can help verify correct setup.
Marketer view
Email marketer from Super User suggests that DKIM alignment issues can occur when using subdomains. The 'From' address must align with the domain used in the DKIM signature. Ensuring consistent domain usage across email headers and DKIM settings can prevent alignment problems.
13 Oct 2024 - Super User
Marketer view
Email marketer from Email on Acid mentions that common DKIM errors include incorrect DNS record syntax and propagation delays. They advise double-checking the DKIM record for typos and waiting for the changes to propagate fully before testing.
10 Nov 2021 - Email on Acid
4 expert opinions
Addressing DKIM alignment issues and configuring DKIM signing for custom domains in Microsoft 365 involves verifying domain ownership and ensuring the O365 instance signs with your domain using a corresponding private key. The onmicrosoft.com signing is a common source of problems. Regarding SPF records, specifically including spf.mtasv.net for Mailchimp, it's often unnecessary as Mailchimp uses its own domain in the 5321.from address. When including third-party domains in SPF, it's crucial to evaluate their sending practices against your domain's security policies instead of blindly including them.
Expert view
Expert from Word to the Wise answers explains that the 'include:' mechanism in SPF records allows you to delegate SPF authorization to another domain. When considering whether to include a service like Mailchimp, you need to evaluate if their sending practices align with your domain's security policies. While they don't specifically mention 'spf.mtasv.net', they suggest being cautious about blindly including third-party domains without understanding their sending infrastructure.
12 Jan 2024 - Word to the Wise
Expert view
Expert from Spam Resource explains that DKIM alignment issues often stem from incorrect domain ownership verification. Ensuring that your domain is properly verified within Microsoft 365 is crucial before configuring DKIM. This involves adding specific DNS records provided by Microsoft to prove ownership.
25 Dec 2024 - Spam Resource
3 technical articles
To use DKIM with a custom domain in Microsoft 365, you need to create DKIM DNS records and enable DKIM signing through the Microsoft 365 Defender portal or PowerShell. Microsoft recommends using two 1024-bit keys or upgrading to 2048-bit keys for enhanced security. Key rotation is also crucial, involving generating new keys, updating DNS records, and activating the new key. For Mailchimp, SPF records authorize specific servers to send emails on behalf of your domain, but including `spf.mtasv.net` isn't explicitly mentioned and may not be necessary; including Mailchimp's servers might be required instead.
Technical article
Documentation from Microsoft Learn outlines how to rotate DKIM keys in Microsoft 365. It covers generating new DKIM keys, updating DNS records, and activating the new key for signing. Proper key rollover ensures continued email authentication without interruption.
23 Mar 2025 - Microsoft Learn
Technical article
Documentation from Microsoft Learn explains that to use DKIM with a custom domain in Microsoft 365, you must create DKIM DNS records. They advise using two 1024-bit keys or moving to 2048-bit keys for enhanced security. It details the steps to enable DKIM signing for your custom domain within the Microsoft 365 Defender portal or via PowerShell.
31 May 2025 - Microsoft Learn
Are DMARC RUA and RUF tags mandatory for compliance and what are their benefits?
Can DKIM be set up on a subdomain, and which domain should be used for signing?
Do I need to include Mailchimp's SPF record in my domain's SPF if Mailchimp handles the bounce address?
How can I improve SPF alignment and email deliverability when using Hubspot?
How can I resolve DMARC verification failures when using a subdomain for email sending?
How do I fix DKIM failing body hash verification?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do I set up DKIM on G Suite for outgoing mail, especially when using multiple email services?