Your emails are being rejected with a 550-5.7.26 error because the receiving server cannot validate your DKIM signature, causing a DMARC policy failure.
The Fix
First, diagnose the exact failure. Send a test email to a Gmail account and use "Show original" to view the full headers. Look for Authentication-Results: dkim=none (no signature) or dkim=fail (invalid signature). Note the s= (selector) and d= (signing domain) tags from the DKIM-Signature header.
If the error is dkim=none (message not signed) in Microsoft 365:
Your domain likely lacks custom DKIM configuration. Enable it using PowerShell for Exchange Online.
Connect-ExchangeOnline
New-DkimSigningConfig -DomainName yourdomain.com -Enabled $false
Set-DkimSigningConfig -Identity yourdomain.com -Enabled $trueBefore running Set-DkimSigningConfig, you must publish two CNAME records in your DNS. The PowerShell command will provide the exact targets, or you can find them in the Exchange Admin Center under Mail flow > DKIM. The records typically look like:
- Name:
selector1._domainkey.yourdomain.com - Target:
selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com - Name:
selector2._domainkey.yourdomain.com - Target:
selector2-yourdomain-com._domainkey.yourtenant.onmicrosoft.com
If the error is dkim=fail (invalid signature):
This indicates a DNS or alignment problem. Verify your DKIM DNS record. Using the s= selector from your email header, query the TXT record at selector._domainkey.yourdomain.com with a tool like MX Toolbox. Ensure the public key (p=) is present. A mismatch between the d= domain in the DKIM signature and your From: header domain will also cause a fail. They must align for DMARC.
If that doesn't work:
Email modifications after signing break the signature. Disable transport rules that prepend disclaimers or banners, or reconfigure them to "Wrap" the original message. Also, disable any auto-forwarding that might alter the email. If you recently made DNS changes, wait 24-48 hours for propagation.
If that doesn't work:
Rotate your DKIM keys. In Microsoft 365, use Rotate-DkimSigningConfig -Identity yourdomain.com. This generates new keys. Update your DNS with the new CNAME target values provided, then re-enable signing.
Verify
After applying fixes and waiting for DNS propagation, send another test email. In the raw headers, confirm Authentication-Results: dkim=pass. Use Google's Postmaster Tools or a third-party DKIM validator to run an external check. Ensure DMARC alignment passes by checking that the d= domain in the DKIM signature matches your root From: domain. A successful setup shows dkim=pass and dmarc=pass in the authentication results header.
