Many administrators are familiar with SPF (Sender Policy Framework) as a system to declare and verify who can send emails from a domain. In the fight against spam and phishing, SPF is not enough anymore.
DKIM (DomainKeys Identified Mail) is an email authentication system based on asymmetric cryptographic keys. A sending email server signs the message body and/or headers with a private key. A receiving email server verifies the key signature, checking for changes in the message fields. The additional identity verification includes a data integrity component using the signature keys to ensure the original message is arriving intact.
Office 365 (O365), Exchange Online, DKIM
Implicit DKIM Signing in Office 365
Administrators with domains on an Office 365 tenant already have an implicit DKIM signature applied to the tenant domain. The tenant domain is the “.onmicrosoft.com” domain, sometimes called the initial domain. Microsoft does this because it controls the DNS for onmicrosoft.com, publishing the public key and storing the private key on behalf of all subscribed tenants. The implicit signing is the basis of creating an explicit signature for your primary domain, the one without the onmicrosoft.com portion.
Implementing DKIM with Office 365
- This article assumes you have access to the Office 365 Admin Center for the tenant domain you are managing.
- You must have access to the domain’s public DNS zone.
Office 365 Admin Center Prep
- Login to the O365 Admin Center and open the Exchange Admin Center
- From the Exchange Admin Center, click on Protection > DKIM
Click on the domain and notice the right-side information bar shows the status is “Not signing DKIM signatures for this domain”.Click on the Enable link to turn on explicit DKIM signing on the primary domain.
- Note down the information from the yellow pop-up and add it in a Cname record as described below.
Add Two CNAME Records
Depending on the DNS zone management tool being used, the steps below provide the data needed for adding the CNAME records.
- Log into the DNS zone management tool for the domain you are working on.
- Add two CNAME records with the following information:
- 1st CNAME Record
Host Name: selector1._domainkey.<yourdomain>
Points to: selector1-<domainGUID>._domainkey.<tenantDomain>
- 2nd CNAME Record
Host Name: selector2._domainkey.<yourdomain>
Points to: selector2-<domainGUID>._domainkey.<tenantDomain>
- 1st CNAME Record
You can also get your DKIM Records by connecting to Exchange Online via Powershell and running this command:
Get-DkimSigningConfig -Identity <domain> | Format-List Selector1CNAME, Selector2CNAME
Enable DKIM Signing for the Domain in Office 365
- Go back to the O365 Admin Center and open the Exchange Admin Center as shown in Figure 3.
- From the Exchange Admin Center, click on Protection > DKIM as shown in Figure 4.
- Click on the primary domain and notice the right-side information bar shows the status is “Not signing DKIM signatures for this domain” as shown in Figure 5.Since the CNAME records have been added to your domain’s DNS zone the signing of messages for the domain can be enabled. Click on the Enable link to turn on explicit DKIM signing on the primary domain.