When you send mail from Outlook or a Microsoft 365 tenant, recipients may see DKIM failures in their email headers. This usually happens because the DKIM selector value in your email does not match the public key published in your domain's DNS. The mismatch causes receiving mail servers to mark your messages as suspicious or deliver them to spam. This article explains why a DKIM selector mismatch occurs on outbound mail sent through Outlook and Microsoft 365, and provides the exact steps to fix the headers so your messages pass authentication.
Key Takeaways: Fixing DKIM Selector Mismatch in Outlook and Microsoft 365
- Microsoft 365 Defender portal > Email & Collaboration > Policies & Rules > Threat Policies > DKIM: Locate the exact selector name used by Microsoft 365 for your domain.
- DNS hosting provider > TXT record for selector2._domainkey.yourdomain.com: Ensure the CNAME record points to selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com with the correct value.
- Outlook desktop client > File > Account Settings > Account Settings > Change > More Settings > Outgoing Server: Verify that SMTP authentication matches the mailbox used for DKIM signing.
Why a DKIM Selector Mismatch Occurs on Outbound Mail
DKIM uses a selector string in the email header to tell the receiving server which public key to retrieve from DNS. Microsoft 365 uses two default selectors: selector1 and selector2. When you enable DKIM for a custom domain, Microsoft 365 generates CNAME records that must be added to your DNS zone. A mismatch happens when the selector in the outgoing mail header does not match the published DNS record. This can occur if:
Selector Not Added to DNS
If you enabled DKIM in the Microsoft 365 Defender portal but never added the CNAME records to your DNS provider, the selector in the header has no matching public key. Receiving servers see a broken DKIM signature and fail the check.
Wrong Selector in DNS Record
Some administrators copy the wrong CNAME target or use a third-party DKIM service that overrides the default selector. If the selector name in the DNS record does not match selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com or selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com, the mismatch occurs.
SMTP Relay Without DKIM Signing
When you send mail through an SMTP relay that does not use Microsoft 365 to sign the DKIM header, the selector may be empty or point to a non-existent key. Outlook desktop clients configured with SMTP authentication may bypass the Microsoft 365 DKIM signing pipeline entirely.
Steps to Fix the DKIM Selector Mismatch in Microsoft 365 and Outlook
Follow these steps in order. You need access to the Microsoft 365 Defender portal and your DNS hosting provider.
- Open the Microsoft 365 Defender portal
Go to https://security.microsoft.com and sign in with a Global Admin or Security Admin account. In the left navigation, expand Email & Collaboration and select Policies & Rules. Then click Threat Policies and choose DKIM from the list. - Locate your domain and note the selector
In the DKIM page, find your custom domain under the Domain column. Click the domain name to open its details. Under DKIM signing, you will see two selectors: selector1 and selector2. Write down the exact selector name that shows Signing enabled. - Copy the correct CNAME values
In the same domain details pane, look for the CNAME records section. Copy the two CNAME records exactly as displayed. For example:selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.comselector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com - Add the CNAME records to your DNS provider
Log in to your DNS hosting provider (GoDaddy, Cloudflare, Namecheap, etc.). Navigate to the DNS records for your domain. Add two new CNAME records with these values:
– Host name:selector1._domainkeyandselector2._domainkey
– Target: the full CNAME values you copied from step 3
– TTL: 3600 seconds or default
Save the records. DNS propagation may take up to 30 minutes. - Verify the DKIM records are published
Use a DNS lookup tool likenslookupor an online DKIM checker. Run this command in a command prompt:nslookup -type=TXT selector2._domainkey.yourdomain.com
The response should show a target pointing toselector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com. If it returns anything else, the mismatch remains. - Enable DKIM signing in the Defender portal
Back in the DKIM settings for your domain, toggle Sign messages for this domain with DKIM signatures to On for both selectors. Click Publish or Save. Microsoft 365 now signs outbound mail with the correct selector. - Test outbound mail from Outlook
Send a test email from your Outlook desktop client or Outlook on the web to a Gmail or Yahoo address. Open the received message and view the full headers. Look for the DKIM-Signature header. The s= value must match the selector you enabled. Example:s=selector2.
If Outlook Still Has DKIM Issues After the Main Fix
Outlook SMTP Relay Sends Mail Without DKIM Signature
If you use Outlook with an SMTP server that is not Microsoft 365, the DKIM signature may be missing. To fix this, configure Outlook to send through Microsoft 365 SMTP: smtp.office365.com on port 587 with TLS. In Outlook, go to File > Account Settings > Account Settings, select your account, click Change, then More Settings. On the Outgoing Server tab, check My outgoing server (SMTP) requires authentication and select Use same settings as my incoming mail server. On the Advanced tab, set the outgoing server port to 587 and choose TLS.
DKIM Selector Shows a Third-Party Value
If you previously used a third-party email security gateway, the DKIM selector may be set to a value like s=spf or s=google. Remove the old CNAME records for selector1._domainkey and selector2._domainkey from your DNS. Add the Microsoft 365 CNAME records as described in the step-by-step section. Then disable and re-enable DKIM signing in the Defender portal.
DKIM Signature Shows Multiple Selectors
Some email systems add a second DKIM signature from a third-party service. This causes a mismatch if the second selector is not published. Check your email headers for multiple DKIM-Signature lines. Remove any third-party DKIM configuration in your DNS and disable DKIM signing in the external service. Keep only the Microsoft 365 signatures.
DKIM Selector Types in Microsoft 365: Default vs Custom
| Item | Default Selector (selector1 or selector2) | Custom Selector (third-party) |
|---|---|---|
| Description | Generated automatically by Microsoft 365 for your domain | Manually created by an administrator or third-party service |
| Where to configure | Microsoft 365 Defender portal DKIM settings | DNS provider and third-party email gateway |
| CNAME format | selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com | Varies by provider, e.g., s1._domainkey.yourdomain.com |
| DKIM signing control | Managed by Microsoft 365 | Managed by the third-party service |
| Mismatch risk | Low if DNS records are correct | High if DNS records are outdated or missing |
A DKIM selector mismatch prevents your outbound mail from passing authentication checks. By ensuring the CNAME records in your DNS match the selectors enabled in the Microsoft 365 Defender portal, you restore proper DKIM signing. After fixing the headers, verify the DKIM signature in a test email using the s= parameter. For ongoing monitoring, enable DKIM reporting in the Defender portal under Email & Collaboration > Policies & Rules > Threat Policies > DKIM > Domain > DKIM reports to receive daily reports on signing failures.