How to find domainGUID and initialDomain for DKIM setup with custom domains in Office 365?

Key findings

• DomainGUID: This is a unique identifier assigned by Microsoft to your domain within their ecosystem. It is often derived from the prefix of your domain's MX record in Office 365 (e.g., example-org for example.org).
• InitialDomain: This refers to the default .onmicrosoft.com domain that Microsoft initially assigns to your tenant (e.g., exampleorg.onmicrosoft.com, where exampleorg is the initial domain).
• Purpose: Both domainGUID and initialDomain are essential for constructing the two CNAME records required for DKIM, typically in the format selector1-domainGUID._domainkey.initialDomain.onmicrosoft.com.
• Locating them: While Microsoft's documentation can guide you, direct retrieval often involves using PowerShell commands or carefully inspecting existing DNS records, especially your MX record, to infer these values. This is a common method for verifying your DKIM setup.

Key considerations

• PowerShell usage: For a precise and reliable method, connecting to Exchange Online PowerShell and running specific commands (like Get-MsolDomain or Get-DkimSigningConfig) is recommended to retrieve these values directly. You can also refer to guides such as Ali Tajran's guide for a step-by-step approach.
• DNS management: Once found, these identifiers must be used to create CNAME records in your DNS provider's interface. Accuracy is paramount to ensure your DKIM signatures are correctly validated.
• Verification: After publishing the CNAME records, it is crucial to verify their propagation and activation within Office 365. This often involves enabling DKIM signing for your custom domain through the Microsoft 365 Defender portal or PowerShell. Ensuring proper DKIM implementation is key to email deliverability.
• Impact on deliverability: Correct DKIM configuration is a fundamental aspect of email authentication, significantly impacting your sender reputation and reducing the likelihood of your emails being flagged as spam or blocked by recipient mail servers.

Key opinions

• Initial confusion: Many marketers admit that Microsoft's DKIM setup, particularly the need for unique identifiers, can be confusing at first, necessitating thorough study of documentation.
• Learning curve: The sentiment is that once you've gone through the process once, it becomes much easier, highlighting a significant learning curve but ultimately a manageable task.
• MX record inference: A practical approach shared involves parsing the domainGUID from the prefix of the domain's MX record, indicating a common workaround or discovery method.
• Initial domain clarity: The initialDomain is understood to be the prefix of the automatically assigned .onmicrosoft.com domain.

Key considerations

• Documentation review: Marketers often highlight the need to thoroughly review Microsoft's official documentation, even if it initially seems dense, as it contains the precise steps required.
• Community support: Engaging with Microsoft communities or forums, such as Spiceworks Community, is often suggested as a valuable resource for troubleshooting and getting practical advice on tricky configurations.
• Patience and persistence: Given the initial complexity, a common consideration is to approach the setup with patience, knowing that the understanding will solidify with practice. This is essential for setting up email authentication.
• Verification steps: Always double-check DNS records and verify the DKIM status in the Microsoft 365 admin center or through PowerShell to ensure the configuration is active and correct.

Key opinions

• Foundational for deliverability: Proper DKIM setup is considered foundational for email deliverability, especially within Microsoft 365 environments, to ensure messages pass DMARC alignment checks and reach the inbox.
• Critical identifiers: The domainGUID and initialDomain are critical for constructing the correct CNAME records required by Microsoft for DKIM, requiring careful verification of these values.
• Security implications: DKIM configuration in Office 365 not only improves sender reputation but also protects against phishing and spoofing by verifying the authenticity of outgoing messages from custom domains.
• Precision is key: While the naming conventions can seem obscure, these specific identifiers ensure that the DKIM signature is correctly tied to the Office 365 tenant, preventing impersonation and ensuring validation.

Key considerations

• Leveraging PowerShell: Experts recommend using PowerShell for precise retrieval of these parameters, as manual derivation can be prone to errors. This ensures the integrity of the DKIM setup for Microsoft-related DKIM issues.
• Understanding Microsoft's ecosystem: It's important to grasp Microsoft's unique way of handling domains and identifiers to effectively configure DKIM, which differs from generic email service providers.
• DNS propagation: Always account for DNS propagation delays when setting up new CNAME records for DKIM. Verify that the records are live globally before troubleshooting further.
• Comprehensive authentication: While DKIM is vital, experts emphasize that it should be part of a broader email authentication strategy involving SPF and DMARC for maximum deliverability and security benefits. This is covered in our simple guide to DMARC, SPF, and DKIM.

Key findings

• CNAME record requirements: Documentation consistently specifies the need for two CNAME records for each custom domain configured with DKIM in Office 365.
• Record format: The format for these CNAME records involves specific selectors (selector1, selector2), the domainGUID, and the initialDomain.onmicrosoft.com as the target.
• PowerShell for key generation: Official guides often detail PowerShell commands for generating or retrieving these DKIM-specific CNAME values, emphasizing accuracy.
• Activation in M365 Defender: Post-DNS configuration, the documentation directs users to the Microsoft 365 Defender portal to enable DKIM signing for the selected domain, confirming the setup.

Key considerations

• Syntax precision: The exact syntax for CNAME records, including the concatenation of selector, domainGUID, and initialDomain, must be followed precisely to avoid DKIM validation failures.
• DNS propagation time: Documentation often reminds users about the time required for DNS changes to propagate globally, advising patience before expecting the DKIM status to update. This is especially relevant for where records should be placed.
• Continuous monitoring: While initial setup is key, some documentation encourages ongoing verification of DKIM status to ensure continued email authentication, particularly after any domain or tenant changes. For official guidelines, consult Microsoft's official documentation on DKIM.
• Authentication standards: The documentation consistently frames DKIM as a crucial component of modern email authentication standards (alongside SPF and DMARC) for protecting against spoofing and improving deliverability.