In order to DKIM sign your custom domain emails, you will need to complete the following steps:
Sign in to Office 365 using your admin account and choose Admin
Once in the Admin center, expand Admin centers and choose Exchange.
Go to protection > DKIM
Select the domain for which you want to enable DKIM and click on Enable. Repeat this step for each custom domain.
If you haven't created the relevant CNAME records, below are a few steps for creating a CNAME
Creating the CNAME records
The CNAME records are used to map an alias name to the true or canonical domain name. In essence, when you provision a new domain name in Office 365 you will need to create two CNAME records for it so that it points to your initial domain. Here is an example:
We will use aby.onmicrosoft.com as our initial domain, also called the tenant domain. But we actually own aby.com and after we provide it in Office 365 we need to publish the two CNAME records so that aby.com points to aby.onmicrosoft.com using the format below.
In our example the CNAME DNS records will look like this:
Type: CNAME
Host: selector1._domainkey
Value: selector1-aby-com._domainkey.aby.onmicrosoft.com
Type: CNAME
Host: selector2._domainkey
Value: selector2-aby-com._domainkey.aby.onmicrosoft.com
Please pay close attention to the domainGUID which does not use a full stop "." but a hyphen "-" instead. This is taken from the MX record of your custom domain, in this case, aby.com
The CNAME record value syntax will also show up when you click on Enable DKIM from your Exchange admin center:
The reason behind the two CNAME records is because Microsoft rotates the two keys for added security.
Enabling DKIM signing
Once you have added the CNAME records (two per domain) DKIM signing can be enabled through the Office 365 admin center.
For more information, refer to this article.