For those who are Office 365 (Exchange Online) Admins, and aren't familiar with SPF, DKIM and DMARC, I recommend referencing Terry Zink's blog. In my view, this is the best practice.
DKIM Goes Online
Exchange admins can check the current status of DKIM in their tenant through the Get-DkimSigningConfig cmdlet. Note that if any results return, then keys have been setup for the listed domain(s). It will return blank if nothing has been setup in a tenant.
In my experience, the primary sending domain tenant.onmicrosoft.com is now set to Enabled. The other domains in my tenant were configured with key pairs generated, but the domains were not yet enabled because CNAMEs were not found in DNS.
The result is that all messages coming from my O365 domain are now signed with DKIM! My test tenant as well as Gmail give me a Pass for DKIM evaluation, even though the envelope.from domain (vanity domain) is not yet enabled.
I have not yet seen any issues, but there is word that some automatic replies such as OOF messages can fail DKIM evaluation by some services. As I understand it, this is being worked on.