Why Microsoft 365 DKIM stops signing your email — and how to fix it

Microsoft 365 DKIM signing uses CNAME records in your DNS pointing to keys Microsoft manages. When it’s working, every outbound email from your Exchange Online tenant is signed with your domain’s DKIM key. When it stops, nothing bounces — mail continues to deliver — but DMARC alignment fails silently.

The only way to detect this without actively looking is to review DMARC aggregate reports, which show DKIM pass/fail rates by source. Most organisations aren’t reviewing these regularly.

Common causes

Licence migration. Moving between Microsoft 365 licence tiers — particularly migrations that change the underlying service plan — can reset DKIM signing configuration. The Exchange Admin Center may still show DKIM as “enabled” even though signing has stopped.

Custom domain changes. Adding or removing a custom domain, or changes to domain federation settings, can disrupt DKIM signing for existing domains on the tenant.

Selector rotation failure. Microsoft periodically rotates DKIM signing keys. If the rotation fails — usually because the CNAME records in DNS haven’t been updated — signing stops. No alert, no bounce, nothing until you check.

DKIM never enabled. DKIM for custom domains on Exchange Online is not automatic. When you add a custom domain, you must publish the CNAME records Microsoft provides and explicitly enable DKIM in the Exchange Admin Center. Many M365 tenants have had DKIM disabled since initial setup.

How to check

In the Exchange Admin Center: go to Email authentication → DKIM. Select your domain and confirm the status shows Enabled and the CNAME records are correctly published.

The two default M365 DKIM selectors are selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com. Both should return a valid DKIM public key. If either is missing from DNS, signing will fail for messages using that selector.

Alternatively, run your domain through the Email Authentication Checker — it resolves DKIM selectors and tells you whether they’re returning valid keys.

How to fix it

1. Go to Exchange Admin Center → Email authentication → DKIM
2. Select your domain
3. If Disabled: click Enable to generate new CNAME records
4. Publish the CNAME records Microsoft provides to your DNS
5. Wait for propagation (check the TTL — usually 3600 seconds)
6. Return to Exchange Admin Center and confirm the status shows Enabled
7. Send a test message to an external address and check DKIM signing in the message headers

If the Exchange Admin Center shows Enabled but DKIM is still not signing, disable and re-enable DKIM for the domain. This forces a key regeneration and resolves most cases where tenant configuration is inconsistent.

Preventing recurrence

Add DKIM signing status to your monitoring. DMARC aggregate reports reviewed weekly are the minimum — they’ll catch any signing failure within one reporting period. A periodic DNS check of your DKIM selectors is straightforward to add to any monitoring stack and will flag failures within minutes of them occurring.