Many administrators are familiar with SPF (Sender Policy Framework) as a system to declare and verify who can send emails from a domain. In the fight against spam and phishing, SPF is not enough anymore.
DKIM (DomainKeys Identified Mail) is an email authentication system based on asymmetric cryptographic keys. A sending email server signs the message body and/or headers with a private key. A receiving email server verifies the key signature, checking for changes in the message fields. The additional identity verification includes a data integrity component using the signature keys to ensure the original message is arriving intact.
Office 365 (O365), Exchange Online, DKIM
Implicit DKIM Signing in Office 365
Administrators with domains on an Office 365 tenant already have an implicit DKIM signature applied to the tenant domain. The tenant domain is the ".onmicrosoft.com" domain, sometimes called the initial domain. Microsoft does this because it controls the DNS for onmicrosoft.com, publishing the public key and storing the private key on behalf of all subscribed tenants. The implicit signing is the basis of creating an explicit signature for your primary domain, the one without the onmicrosoft.com portion.
Implementing DKIM with Office 365
- This article assumes you have access to the Office 365 Admin Center for the tenant domain you are managing.
- You must have access to the domain's public DNS zone.
Office 365 Admin Center Prep
- Login to the O365 Admin Center and go to Domains.
- Note the tenant or initial domain that ends in ".onmicrosoft.com" as shown in Figure 1.
- Click on the primary domain to open the required DNS settings information page as shown in Figure 2.
- Note the domain GUID, which is the beginning of the MX before the first dot. In this example, it is mpoffice365-com0e.
- The tenant domain and GUID will be used to add two CNAME records to public DNS for DKIM signing of the primary domain.
Add Two CNAME Records
Depending on the DNS zone management tool being used, the steps below provide the data needed for adding the CNAME records. If you need specific help on adding the CNAME records, please contact the service provider's support team. Popular DNS zone managers are GoDaddy, web hosting providers, and dedicated nameserver providers such as DNS Made Easy.
- Log into the DNS zone management tool for the domain you are working on.
- Add two CNAME records with the following information:
- 1st CNAME Record
Host Name: selector1._domainkey.<yourdomain>
Points to: selector1-<domainGUID>._domainkey.<tenantDomain>
- 2nd CNAME Record
Host Name: selector2._domainkey.<yourdomain>
Points to: selector2-<domainGUID>._domainkey.<tenantDomain>
- 1st CNAME Record
Using the example from above, the two CNAME records would be:
- Host Name: selector1._domainkey.mp-office365.com
Points to: selector1-mpoffice365-com0e._domainkey.mailprotector.onmicrosoft.com
- Host Name: selector2._domainkey.mp-office365.com
Points to: selector2._mpoffice365-com0e._domainkey.mailprotector.onmicrosoft.com
Enable DKIM Signing for the Domain in Office 365
- Go back to the O365 Admin Center and open the Exchange Admin Center as shown in Figure 3.
- From the Exchange Admin Center, click on Protection > DKIM as shown in Figure 4.
- Click on the primary domain and notice the right-side information bar shows the status is "Not signing DKIM signatures for this domain" as shown in Figure 5.
- Since the CNAME records have been added to your domain's DNS zone the signing of messages for the domain can be enabled. Click on the Enable link to turn on explicit DKIM signing on the primary domain.
DKIM signing with Office 365 uses the message body as part of the key. If you are using Mailprotector's smarthost relay, there may be cases in which DKIM signing will fail because of configured Mailprotector actions.
COMPLIANCE FOOTERS: If you have compliance footers configured and enabled in the Mailprotector Console, the footer will change the body of the message after it has been DKIM signed, causing a DKIM failure.
The recommendation is to disable the compliance footer in the Mailprotector Console and apply the footer using Office 365's Exchange Online tools. For detailed instructions on creating the footer please read Organization-wide message disclaimers, signatures, footers, or headers in Office 365.
OUTBOUND CONTENT POLICIES: If you have outbound content policies configured who's action is to tag the subject line or add text to the footer, it will change the message after it has been DKIM signed, causing a DKIM failure.
The recommendation is to disable the outbound content policy and explore options through Exchange Online's transport rules and other mail flow tools.