Configure DKIM with Microsoft 365 for CloudFilter

Description

Many administrators are familiar with SPF as a system for declaring and verifying who can send emails from a domain. However, in the fight against spam and phishing, SPF is not enough anymore.

DKIM (DomainKeys Identified Mail) is an email authentication system based on asymmetric cryptographic keys. A sending email server signs the message body and/or headers with a private key. A receiving email server verifies the key signature, checking for changes in the message fields. The additional identity verification includes a data integrity component using the signature keys to ensure the original message is arriving intact.

Applies to:

Microsoft 365 (M365) Office 365 (O365), Exchange Online, DKIM

Implicit DKIM Signing in Microsoft 365

Administrators with domains on a Microsoft 365 tenant already have an implicit DKIM signature applied to the tenant domain. The tenant domain is the ".onmicrosoft.com" domain, sometimes called the initial domain. Microsoft does this because it controls the DNS for onmicrosoft.com, publishing the public key and storing the private key on behalf of all subscribed tenants. The implicit signing is the basis of creating an explicit signature for your primary domain, the one without the onmicrosoft.com portion.

Implementing DKIM with Microsoft 365 for CloudFilter

Requirements

  • You must have access to the Microsoft 365 Admin Center for the tenant domain you are managing.
  • You must have access to the domain's DNS host.

Determine Information for the DKIM Record

  1. Log in to Microsoft Defender and go to Email & Collaboration > Policies & Rules > Threat Policies > Email Authentication Settings > DKIM.
  2. Click on the domain to which you wish to add DKIM records and then click Copy.

    Fig. 1
    DKIM records.png

Add Two CNAME Records

The steps below provide the data needed to add the CNAME records to be used in the DNS zone management tool. Please contact the DNS host provider's support team for assistance with adding the CNAME records. Popular DNS zone managers are GoDaddy, web hosting providers, and dedicated nameserver providers such as DNS Made Easy.

  1. Log in to the DNS zone management tool for the domain you are working on.
  2. Add two CNAME records with the following information:
    • 1st CNAME Record
      Host Name: selector1._domainkey.<yourdomain>
      Points to: selector1-<domainGUID>._domainkey.<tenantDomain>
    • 2nd CNAME Record
      Host Name: selector2._domainkey.<yourdomain>
      Points to: selector2-<domainGUID>._domainkey.<tenantDomain>

Using the example from Determine Information for the DKIM Record above, the two CNAME records would be:

  • Example 1:
    Host Name: selector1._domainkey.psuccess2.org
    Points to: selector1-Psuccess2-org._domainkey.Mailprotector505.d-v1.dkim.mail.microsoft
  • Example 2:
    Host Name: selector2._domainkey.psuccess2.org
    Points to: selector2-Psuccess2-org._domainkey.Mailprotector505.d-v1.dkim.mail.microsoft

Depending on the DNS zone manager, DKIM records can be globally viewable within seconds or take days to propagate. Use a DKIM checker such as MX Toolbox to verify that records have been propagated before proceeding to the next step.

Enable DKIM Signing for the Domain in Microsoft 365

  1. Return to the Microsoft 365 Admin Center and open the Exchange Admin Center as shown in Figure 3.

    Fig. 3
    Admin Centers - Exchange.png
     
  2. Visit the Microsoft Defender Portal then click DKIM as shown in Figure 4.

    Fig. 4
    Security Authentication - DKIM.png
     
  3. Click on the primary domain and notice that the right-side information bar shows the status for DKIM signing as disabled, as shown in Figure 5. Since the CNAME records have been added to your domain's DNS zone, the signing of messages for the domain can be enabled. Click on the Enable link to turn on explicit DKIM signing on the primary domain.

    Fig. 5
    DKIM signing enabled.png

Important Considerations

DKIM signing with Microsoft 365 uses the message body as part of the key. If you use Mailprotector's smarthost relay, DKIM signing may fail because of the configured Mailprotector actions.

Compliance Footers

If you have compliance footers configured and enabled in the Mailprotector Console, the footer will change the body of the message after it has been DKIM signed, causing a DKIM failure.

The recommendation is to disable the compliance footer in the Mailprotector Console and apply it using Microsoft 365 Exchange Admin tools. For detailed instructions on creating the footer, please read Organization-wide message disclaimers, signatures, footers, or headers in Exchange Online.

Outbound Content Policies

If you have outbound content policies configured whose action is to tag the subject line or add text to the footer, the message will change after it has been DKIM signed, causing a DKIM failure.

The recommendation is to disable the outbound content policy and explore options through Exchange Online's transport rules and other mail flow tools.

Related to

Updated

Was this article helpful?

0 out of 0 found this helpful