Office 365, DKIM, and a naughty domain name

While helping a customer setup their Office 365 tenant, we ran into an edge case scenario…

An Internet domain name with a hyphen (minus symbol) in it.  Let’s call is

When you setup DKIM for Office 365, the DKIM ‘selector’ entries you have to create within your domain’s DNS zone are of type CNAME, and they refer to custom entries, hosted by Microsoft for your Office 365 tenant.

An example of this is as follows, per Microsoft:

Host name: selector1._domainkey
Points to address or value: selector1-<domainGUID>._domainkey.<initialDomain> 
TTL: 3600

Host name: selector2._domainkey
Points to address or value: selector2-<domainGUID>._domainkey.<initialDomain> 
TTL: 3600


  • For Office 365, the selectors will always be “selector1” or “selector2”.
  • domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before For example, in the following MX record for the domain, the domainGUID is contoso-com: 3600 IN MX 5
  • initialDomain is the domain that you used when you signed up for Office 365. Initial domains always end in For information about determining your initial domain, see Domains FAQ.

Note: The domain name portion (<domainGUID>) of the Fully Qualified Domain Name (FQDN) of which is contoso and its Top Level Domain (TLD), .com are not separated as expected with a period in the ‘target’ value of the CNAME records.

Instead, they are separated with a hyphen (minus symbol) as in: contoso-com

So if the delimiter between your domain name and TLD is a hyphen, what happens if your domain itself contains a hyphen (e.g.

This is where the trouble comes, but how do you resolve it?

Once you have added your domain name within the Office 365 Admin Portal, under Setup > Domains, and you click on the domain name, take a look at the expected DNS record entries.  Under the proposed MX (mail exchange) record for your domain name, you may be surprised to see extra characters after your domain name, such as “0c” and the original hyphen from your domain name ( completely removed: 3600 IN MX 5

This subtle change is key to a successful DKIM setup for a domain with a hyphen in its name.

So then we know your DKIM selector CNAME entry target values should read as follows:

There you have it!

If this was helpful to you, please share it by Tweeting about your newfound discovery!

Leave a Reply