Skip to main content
DKIM

DKIM Checker for GoDaddy

GoDaddy-hosted Microsoft 365 mailboxes use the same DKIM CNAME pattern as direct Microsoft 365 tenants — two selectors (selector1 and selector2) so Microsoft can rotate keys server-side. Get the exact CNAME targets from the Microsoft 365 Defender portal under Email & collaboration > Policies & rules > Threat policies > DKIM.

Common selectors:

Recommended DKIM record for GoDaddy

GoDaddy-hosted Microsoft 365 mailboxes use the same DKIM CNAME pattern as direct Microsoft 365 tenants — two selectors (selector1 and selector2) so Microsoft can rotate keys server-side. Get the exact CNAME targets from the Microsoft 365 Defender portal under Email & collaboration > Policies & rules > Threat policies > DKIM.

selector1._domainkey CNAME selector1-<tenant>._domainkey.<tenant>.onmicrosoft.com. selector2._domainkey CNAME selector2-<tenant>._domainkey.<tenant>.onmicrosoft.com.

Source: official GoDaddy documentation

What a passing check should look like

  • Both selector1._domainkey and selector2._domainkey resolve to your tenant's onmicrosoft.com targets.
  • Each terminal TXT (after CNAME walk) starts with v=DKIM1 and has a non-empty p= value.
  • M365 Defender DKIM tab shows status 'Signing DKIM signatures for this domain'.

How to add this record in GoDaddy

  1. Get the CNAME targets from Microsoft 365

    In Microsoft 365 Defender (security.microsoft.com), navigate to Email & collaboration → Policies & rules → Threat policies → DKIM, select your domain, and copy the two CNAME targets. They look like selector1-yourdomain-com._domainkey.tenantname.onmicrosoft.com.

  2. Open DNS for the domain in GoDaddy

    In GoDaddy's Domain Portfolio, click the three-dot menu next to the domain and choose Edit DNS.

  3. Add the first CNAME

    Add New Record → Type CNAME → Name selector1._domainkey → Value the first target from step 1 (without the trailing dot).

  4. Add the second CNAME

    Add New Record → Type CNAME → Name selector2._domainkey → Value the second target from step 1.

  5. Enable DKIM signing in Microsoft 365

    Back in M365 Defender → DKIM, flip the Sign messages for this domain with DKIM signatures toggle to On. If M365 still says 'CNAME records not found', wait 5 minutes for DNS propagation and retry.

Common DKIM mistakes with GoDaddy

  • Pasting the CNAME target WITH the trailing dot. GoDaddy's DNS editor handles trailing dots automatically — adding one results in two and the CNAME never resolves.
  • Mixing tenant identifiers between selector1 and selector2. The two targets are different but BOTH must point at the SAME tenant.onmicrosoft.com.
  • Trying to publish the public key as a TXT record. GoDaddy + M365 specifically use CNAME delegation; a TXT at selector1._domainkey will conflict.
  • Enabling DKIM in M365 before the CNAMEs propagate. Wait until both CNAMEs resolve before flipping the toggle, otherwise M365 reports 'CNAME records not found' and you have to retry.

DKIM selector pattern

selector1._domainkey + selector2._domainkey

Key rotation

Microsoft rotates the keys behind these CNAMEs on their own schedule — you never touch the keys directly. As long as the CNAMEs point to the right tenant target, rotation happens transparently. Verify rotation worked by re-running the DKIM check on each selector after a rotation event.

Frequently asked questions about GoDaddy DKIM

Does GoDaddy support DKIM out of the box?

Only if your domain uses GoDaddy's Microsoft 365 reseller mailboxes — in that case DKIM is configured via the two M365 CNAME selectors above. If you only use GoDaddy for DNS but send mail via a different provider (Mailgun, SendGrid, your own server, etc.), DKIM comes from THAT provider, not GoDaddy.

Why does my GoDaddy SPF record need <code>include:secureserver.net</code>?

secureserver.net is the umbrella domain GoDaddy uses for the outbound IP space of its hosted-mailbox products (Webmail Plus and the M365 reseller plans). Including it covers every IP GoDaddy currently uses, and they keep the include up to date.

Where do I get the exact CNAME targets for my GoDaddy + M365 setup?

Sign in to Microsoft 365 Defender at security.microsoft.com, then Email & collaboration → Policies & rules → Threat policies → DKIM. Select your domain and Microsoft displays the two CNAME values customised for your tenant ID.

GoDaddy says my TXT record value is 'too long' — what do I do?

GoDaddy's DNS editor accepts up to 1,024 characters in a TXT value. If you hit the limit (rare for SPF, common for some DKIM keys), the record needs to be split into multiple quoted strings per RFC 7208 §3.3 — but GoDaddy's UI does not expose that directly. Workaround: shorten the record (use the SPF Flattener for SPF) or move DNS to a provider that supports multi-string TXT.

Can I use Cloudflare in front of GoDaddy without changing registrar?

Yes — point GoDaddy's nameservers to Cloudflare's, then manage SPF/DKIM/DMARC in Cloudflare. Whichever provider answers DNS queries is the one receivers query. Don't publish the same record in both places; pick one.

Why are my DKIM checks failing even though the CNAMEs are correct?

Three common causes: (1) you enabled DKIM signing in M365 before the CNAMEs propagated — wait 10 minutes and re-toggle. (2) The two CNAMEs point at different tenants — they MUST both point at the same .onmicrosoft.com host. (3) Your M365 tenant has multiple custom domains and you used the wrong tenant ID in the CNAME target. The DKIM CNAME Validator walks the chain and surfaces the exact failure mode.

For the latest from GoDaddy themselves, see their official email-authentication documentation .

Read the complete DKIM guide to learn more.

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free