Office 365 DKIM CNAME records not recognised by Microsoft


Hi all!

I use Office 365 to host my companies mail server, the DNS of which is controlled by CloudFlare. I am currently trying to add DKIM (DomainKeys Identified Mail) authentication to my outgoing mail.

The way to do this (according to Microsoft) is to add 2 CNAME records to your DNS record (removed company name for confidentiality):

selector1_domainkey |
selector2_domainkey |

I did this about 2 weeks ago, however for some reason I am still not able to enable DKIM authentication from the O365 portal, which throws the error message that the CNAME records can’t be found.

I opened up a ticket with Microsoft who couldn’t resolve my issue, and suggested that I asked you guys instead. So here I am!

Does anyone have any experience with setting up DKIM authentication behind CloudFlare? If so, did you face these same issues?

All help is greatly appreciated!


Microsoft’s instructions on setting these up shows the records as :orange: they should be :grey:. Microsoft is looking to validate the actual value which requires :grey:.



Thanks for getting back to me. So you’re saying I need to take my domain out from CloudFlare protection, and only use it as a DNS server?



No only for the dkim records they are trying to validate.


Thanks for getting back to me.

I don’t see the option to set CloudFlare as ‘DNS only’ for these records. Please see my screenshot below.



Doh sorry I forgot they added logic to detect domain key records and prevent the confusion I described.

dig returns a record that patches the record you have above. Are you sure the value is correct and that perhaps companynameltd shouldn’t be or something?

The value itself seems to match what you wrote, so happy to help if Microsoft can just tell us what is wrong (if it isn’t the value of the record).


I’m fairly sure. Those 2 CNAME records were the ones that Microsoft said I should implement. My first thought was I had mis-entered the records, however I spoke directly with a Microsoft support rep who confirmed that they were correct.

Will ask them for a more specific error.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.