Summary
Setting up DKIM for custom domains in Office 365 requires identifying two specific values: the domainGUID and the initialDomain. The domainGUID uniformly refers to your Microsoft 365 tenant's unique identifier, often called the Organization ID, Tenant GUID, or Directory ID. This critical piece of information is most reliably obtained by running the Get-OrganizationConfig PowerShell cmdlet and selecting the OrganizationId property. Conversely, the initialDomain is consistently identified as your tenant's original .onmicrosoft.com domain, which was provisioned when your Microsoft 365 tenant was first set up. This can typically be found in the Microsoft 365 admin center or by using the Get-MsolDomain PowerShell cmdlet. Both the domainGUID and initialDomain are essential components for accurately constructing the CNAME records required for DKIM signing, ensuring proper email authentication and improved deliverability.
Key findings
- domainGUID is Organization ID: The domainGUID, critical for Office 365 DKIM setup, is consistently identified as your Microsoft 365 tenant's Organization ID, also known as Tenant GUID or Directory ID.
- InitialDomain is onmicrosoft.com: The initialDomain invariably refers to your tenant's primary .onmicrosoft.com domain, which was provisioned when your Microsoft 365 account was first established.
- PowerShell for domainGUID: The most reliable method to find the domainGUID is by running the PowerShell cmdlet 'Get-OrganizationConfig | Select-Object OrganizationId' in Exchange Online PowerShell.
- Finding initialDomain: The initialDomain can be located in the Microsoft 365 admin center, by using the 'Get-MsolDomain' PowerShell cmdlet, or by simply identifying the default .onmicrosoft.com address associated with your tenant.
- Crucial for CNAME Records: Both the domainGUID and initialDomain are fundamental components required for accurately constructing the CNAME records needed to enable DKIM signing for custom domains.
Key considerations
- PowerShell Access: Administrators must have the necessary permissions to connect to Exchange Online PowerShell and execute cmdlets such as Get-OrganizationConfig to retrieve the domainGUID.
- Terminology Awareness: Be aware that the domainGUID may be referred to by various terms, including Organization ID, Tenant GUID, or Directory ID, all of which denote the same unique identifier for your Microsoft 365 tenant.
- CNAME Record Structure: A clear understanding of the correct CNAME record format for DKIM, typically selector1._domainkey.<domainGUID>.<initialDomain>, is essential for accurate setup.
What email marketers say
12 marketer opinions
To successfully configure DKIM for custom domains in Office 365, identifying the correct domainGUID and initialDomain is paramount. The domainGUID is consistently referred to as your Microsoft 365 tenant's unique Organization ID, Tenant GUID, or Directory ID. This vital identifier is predominantly obtained by executing the Get-OrganizationConfig PowerShell cmdlet and extracting its OrganizationId property. Conversely, the initialDomain is universally understood to be your tenant's original .onmicrosoft.com domain, established during the initial tenant provisioning. Both these components are indispensable for correctly formulating the CNAME records needed to enable DKIM signing, thereby enhancing email deliverability and authentication.
Key opinions
- DomainGUID Identity: The domainGUID required for Office 365 DKIM configuration is synonymous with your Microsoft 365 tenant's Organization ID, also known as Tenant GUID or Directory ID, serving as a unique identifier for database records.
- InitialDomain Definition: The initialDomain consistently refers to the default .onmicrosoft.com domain that was originally assigned to your tenant when it was created.
- PowerShell for GUID: The most reliable method for retrieving the domainGUID involves connecting to Exchange Online PowerShell and running the command Get-OrganizationConfig | Select-Object OrganizationId.
- CNAME Record Necessity: Both the domainGUID and initialDomain are critical elements for constructing the specific CNAME records required for DKIM authentication, directly impacting email deliverability.
- Parsing vs. Cmdlet: While one explanation mentions parsing the domainGUID from an MX record, the overwhelming consensus points to using the Get-OrganizationConfig PowerShell cmdlet for accuracy.
Key considerations
- PowerShell Access: Users must ensure they have the necessary administrative permissions and knowledge to connect to Exchange Online PowerShell and execute the required cmdlets for retrieving the domainGUID.
- Term Variation: Be aware that the domainGUID might be referenced using various terms like Organization ID, Tenant GUID, or Directory ID, all pointing to the same unique tenant identifier.
- Accurate CNAME Syntax: Correctly forming the DKIM CNAME record, typically in the format selector1._domainkey.<domainGUID>.<initialDomain>, is crucial for successful DKIM implementation.
Marketer view
Email marketer from Email Geeks explains that GUID is a unique identifier used for all Microsoft database records.
19 Dec 2024 - Email Geeks
Marketer view
Email marketer from Email Geeks explains that the domainGUID is parsed off the front of the MX record for the domain (e.g., example-org for a .org domain) and the initialDomain is what's in front of the subdomain Microsoft initially assigns (e.g., exampleorg for exampleorg.onmicrosoft.com) when configuring DKIM for a custom domain in Office 365.
13 May 2025 - Email Geeks
What the experts say
0 expert opinions
Enabling DKIM authentication for custom domains within Office 365 hinges upon correctly identifying the domainGUID and initialDomain. The domainGUID consistently represents your Microsoft 365 tenant's unique identifier, often labeled as the Organization ID, Tenant GUID, or Directory ID. Obtaining this value is best achieved by executing the Get-OrganizationConfig cmdlet in Exchange Online PowerShell and extracting its OrganizationId property. Conversely, the initialDomain is consistently your tenant's original .onmicrosoft.com domain, established during the initial setup of your Microsoft 365 environment. These two specific identifiers are indispensable for constructing the CNAME records vital for DKIM signing, a key component in robust email deliverability and sender reputation.
Key opinions
- Unique Tenant ID: The domainGUID serves as the distinct identifier for your Microsoft 365 tenant, appearing interchangeably as Organization ID, Tenant GUID, or Directory ID in various contexts.
- Original Domain: Your initialDomain is always the .onmicrosoft.com domain assigned when your Office 365 tenant was first provisioned.
- PowerShell Reliability: Utilizing Get-OrganizationConfig in Exchange Online PowerShell provides the most accurate and recommended method for retrieving the domainGUID.
- CName Foundation: Both the domainGUID and initialDomain are fundamental for correctly formulating the CNAME records that activate DKIM for custom domains.
- Impact on Deliverability: Accurate identification and use of these values directly contribute to successful DKIM implementation, which is crucial for email authentication and improved deliverability.
Key considerations
- Administrative Access: Proper administrative rights are necessary to connect to Exchange Online PowerShell and execute the required cmdlets for information retrieval.
- Naming Convention: Be mindful that the domainGUID may be referred to by several names like Organization ID or Tenant ID, all signifying the same unique tenant identifier.
- Precise CNAME Creation: The exact syntax of the CNAME record, incorporating both the domainGUID and initialDomain, is critical for DKIM to function correctly.
What the documentation says
5 technical articles
Configuring DKIM for custom domains in Microsoft 365 requires identifying two key elements: the domainGUID and the initialDomain. The domainGUID consistently refers to your Microsoft 365 tenant's unique Organization ID, also known as Tenant ID or Directory ID. This identifier is most reliably retrieved using the Get-OrganizationConfig PowerShell cmdlet, specifically by selecting its OrganizationId property. The initialDomain is universally recognized as your tenant's original .onmicrosoft.com domain, provisioned when your Microsoft 365 service was initially set up. It can typically be located within the Microsoft 365 admin center or by employing the Get-MsolDomain PowerShell cmdlet. Both the domainGUID and initialDomain are indispensable for constructing the correct CNAME records that enable DKIM signing, thereby bolstering email authentication and deliverability.
Key findings
- DomainGUID Equivalence: The domainGUID, essential for DKIM configuration, is consistently identified as your Microsoft 365 tenant's unique Organization ID, Tenant ID, or Directory ID.
- InitialDomain Definition: The initialDomain is universally understood as your tenant's original .onmicrosoft.com domain, established when your Microsoft 365 tenant was first provisioned.
- PowerShell for GUID: The most reliable method to obtain the domainGUID is by running the 'Get-OrganizationConfig' PowerShell cmdlet and selecting the 'OrganizationId' property.
- Finding InitialDomain: The initialDomain can be found in the Microsoft 365 admin center or by using the 'Get-MsolDomain' PowerShell cmdlet.
- CNAME Component Role: Both the domainGUID and initialDomain are critical components that must be accurately identified to construct the CNAME records needed for DKIM signing.
- Cmdlet Parameter Use: The structure 'domainGUID.initialDomain' is explicitly used within the 'Identity' parameter of the 'New-DkimSigningConfig' cmdlet, reinforcing their combined necessity.
Key considerations
- PowerShell Access & Use: Administrators require appropriate permissions to connect to Exchange Online PowerShell and execute cmdlets like Get-OrganizationConfig for retrieving the domainGUID.
- Varying Terminology: It is important to recognize that 'domainGUID' may also be referred to as Organization ID, Tenant ID, or Directory ID, all signifying the same unique tenant identifier.
- CNAME Record Accuracy: Correctly formulating the CNAME record in the specified format, typically selector1._domainkey.<domainGUID>.<initialDomain>, is paramount for DKIM to function as intended.
Technical article
Documentation from Microsoft Learn explains that the domainGUID required for DKIM signing configuration in Microsoft 365 refers to the OrganizationId of your Microsoft 365 tenant, which can be retrieved by running Get-OrganizationConfig | Select-Object OrganizationId. The initialDomain is your primary .onmicrosoft.com domain, typically found via Get-MsolDomain or in the Microsoft 365 admin center.
16 Oct 2021 - Microsoft Learn
Technical article
Documentation from Microsoft Learn explains that to find the domainGUID for DKIM configuration, administrators should use the Get-OrganizationConfig PowerShell cmdlet and look for the OrganizationId property. The initialDomain is identified as the original .onmicrosoft.com domain provisioned with the tenant, which can be seen by running Get-MsolDomain or in the Microsoft 365 admin center.
18 Aug 2024 - Microsoft Learn
How do I find the DKIM selector for my domain in Dmarcian or Hubspot?
How do I fix DKIM alignment errors and configure DKIM signing for a custom domain in Microsoft 365 and is include:spf.mtasv.net required for mailchimp?
How do I fix DMARC issues with Mailchimp and Woodpecker while using O365?
How do I set up DKIM with A2 Hosting and troubleshoot validation issues?
How to add DKIM record for owned domain in Salesforce Marketing Cloud (SFMC)?
Why are Microsoft Office 365 DKIM signatures failing and how to fix it?
