Yahoo/AOL Rejection - DKIM/DMARC Records Required
Incident Report for Zix | AppRiver

*Please Note before proceeding* - If you are using Email Threat Protection Smarthosting for outbound service, DKIM/DMARC will need to be configured there instead of O365 – see the following link for ETP Smarthosting - Zix | AppRiver Status - DKIM signing for Email Threat Protection


Yahoo/Aol and a few other providers recently made some security updates and are beginning to require DKIM/DMARC in addition to SPF. These records would need to be configured with your DNS provider, in order to prevent the rejections, you have received.

Please ensure you have SPF (TXT) record configured first before proceeding with O365 DKIM/DMARC.


How to enable/add DKIM:

Generate DKIM keys within the M365 Admin Center -

1. Sign-in through the M365 admin center as a global administrator

2. In the left-hand menu, click on Security under Admin Centers. This will take you to the Microsoft Defender Portal.

3. From there, Under Email & Collaboration - click on Policies and Rules --> Threat policies --> Email Authentication Settings --> DKIM --> Select your Domain and Enable.

4. You can select Generate DKIM Key and it will populate the required CNAME record information


It will show in the form of an error message when attempting to enable. This error message also contains the needed CNAME records.

***Once you have configured these two CNAME records on your DNS side, please go back to the same location mentioned above in the Microsoft Defender Portal.***

1. M365 admin center --> Security Admin Center (Microsoft Defender Portal) --> Policies and Rules --> Threat policies --> Email Authentication Settings --> DKIM --> Click on Domain and Enable DKIM.


***DKIM should now be successfully be enabled.***


How to add DMARC:

1. After DKIM is enabled and configured, please contact your DNS provider for assistance with creating a DMARC record.

There is also third-party tools and sites that can be used as a DMARC generator to generate a DMARC record for you. Then you can add the record through your DNS provider.




For more information regarding both records, please see the articles below.

Set up DKIM to sign mail from your Microsoft 365 domain:


Set up DMARC to validate the From address domain for senders in Microsoft 365:

Posted Mar 11, 2024 - 10:47 CDT
This incident affects: Office 365.