Enable DKIM Signing for Outbound Emails in Exchange Online Protection

Last year Microsoft announced support for DomainKeys Identified Mail (DKIM) signing for outbound emails in Office 365. If you are wondering what DKIM is, below is an excerpt from Microsoft blog describing what DKIM is in its simplest form.

DKIM permits the person, role or organization, who owns the signing domain, to claim some responsibility for a message by associating the domain with the message. Senders insert a digital signature into the message in the DKIM-Signature header, which receivers then verify. DKIM allows senders to build domain reputation, which is important to ensure email delivery and provides senders a non-spoofable way to identify themselves.

Since this post is about how to use DKIM signing in EOP to protect your outbound emails in Exchange Online, I won’t talk about what DKIM is and what it does. Therefore, to learn more about DKIM, visit dkim.org or Wikipedia.

In order to enable DKIM signing for outbound emails in your Office 365 subscription, you first need to have a couple of CNAME records added to DNS zones your mail domains. Below is what’s required to be added.

Host Name Points To Address Or Value TTL
selector1._domainkey selector1-<domainGUID>._domainkey.<initialDomain> 3600
selector2._domainkey selector2-<domainGUID>._domainkey.<initialDomain> 3600

If the format in Points To Address Or Value to makes no sense to you, let me break it down to help you further.

  • domainGUID is created from your mail domain. For example, for the domain msnix.com, the domainGUID would be “msnix-com”.
  • initialDomain is the tenant address you created at the time you signed up with Office 365. It would be something similar to “xyz.onmicrosoft.com”

Keep in mind that you will have to add above required CNAME records to each vanity domains in Office 365. Once you have configured your DNS records, follow below steps to enable it from the admin portal.o365_dkim_disabled

  1. Navigate to Exchange Admin -> protection -> dkim
  2. Select the domain you want to enable DKIM
  3. On the right hand side you’ll see current status of DKIM for selected domain. Click on the Enable link.

o365_dkim_enabled

  1. In few seconds, you’ll see on the status section that DKIM is now enabled.

That’s how you do it in the admin portal. Let’s see how can those who fancy working with PowerShell achieve this.

Connect to Exchange Online through PowerShell. Run following command.

New-DkimSigningConfig –DomainName <mailDomain> –Enabled $true

Again, you’ll have to have above required CNAME records to be present in your domain’s DNS zone for above command to work. If the DNS records haven’t configured you’ll see below error. If you have added required DNS records, and if you still receive below error, wait until your changes propagate.

o365_dkim_ps_errorIf you received above error either reason I’ve mentioned and now you have corrected them, run below command.

Set-DkimSigningConfig -Identity <mailDomain> -enabled $true

Hope this post helped you with getting started with DKIM in Office 365.

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.