Can't enable O365 DKIM

I want to enable DKIM but Cloudflare won’t let me. I am following the instruction per Microsoft

From MS:
CNAME record does not exist for this config. Please publish the following two CNAME records first.

But when I try to add the cname, I get an error from Cloudflare saying that a cname record cant reference itself. Please advise.

What value are you putting in for the CNAME? It will be similar to the following (My recollection is that MS don’t make it easy to work out the actual target). The CNAME needs to be :grey:.


Thanks for the reply,
I have tried both “selector1._domainkey” as they suggested and “@”

It sounds like they’re attempting to use a pre-existing hostname for the Name. Maybe they already have a selector1._domainkey entry from before.

I mean for the name of the c record. The full value itself was “”

But I put the actual domain in

There’s no need to put the actual domain in. Just the stuff before your domain name, as it’s something like a subdomain.

If it’s still not working, post a screenshot of all your DNS records. It’s ok to black out any sensitive information.

It does sound like it, but I don’t have any older entries. The specific error I get is:

CNAME content cannot reference itself. (Code: 9039)

I even tried tips from a few forums that people suggest making a txt record instead, but no dice. Microsoft doesn’t see it.

It does need to reference something at Microsoft. Something similar to my Protonmail DKIM:

Thanks for the tip. I think the MS reference is the “Selector1” part.
Here is what I am trying to set:

It doesn’t seem to like the name. It took Selector 2 just fine as long as I didn’t name it domainkey, but it doesn’t work for O365 because that’s not what MS is looking for.

But every time I try I get this error:

It looks like you are setting the wrong target. For Office 365, these are in the form I posted above:


It looks like you are setting these to a target of:

The <domainGUID> and <something>. will come from your Office 365 account.

1 Like

Here’s an example of working Office 365 DKIM:

Thanks for the quick replies. I thought the ".onmicrosof"t was for the default o365 domain, and if you want to personalize it you use the your own domain.

Also the “.onmicrosoft” already had DKIM enabled, I just assumed my domain needed one as well.

If you want to use features such as DMARC, you need to enable DKIM signing on your custom domain. And DMARC is recommended.

It does…and you’re using the one from O365. DKIM is a digital signature key, so when O365 signs a message on your email, you need to let the world know which key your domain uses (it’s the one provided by O365).

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.