Office 365 / Exchange Online – DKIM Config

Exchange-Admin-DKIM

If you’re using Exchange Online for hosting your e-mail, and using a custom domain, you should probably check and see if you have DomainKeys Identified Mail (DKIM) configured.

DKIM is a configuration that allows a receiving domain to verify that an e-mail was sent from an authorized user and domain and was not modified in transit.

By default Office 365 / Exchange Online enables DKIM for self hosted domains (things like domain.onmicrosoft.com), but that doesn’t transition over to your primary or vanity domains… so for example, my domain, santsys.com did not have DKIM enabled, but my registration domain, santsys.onmicrosoft.com was enabled.

To learn some more about DKIM on Office 365, check out this TechNet article, learn more about DKIM.

To access the DKIM settings for your account, you need to open Exchange Admin from the Office Admin portal, this can be accessed from the Admin Centers menu options.

Open-Exchange-Admin

Once open, you can access the DKIM settings by clicking on Protection then DKIM.

Exchange-Admin-DKIM

DNS Configuration

If you just click on “enable” you will get an error message letting you know that you need to add some DNS records. So before you try to enable DKIM, you need to go into your domain DNS management and add a couple of CNAME records. Once they are entered, you need to give it about 5-minutes, then you should be able to enable DKIM for the domain. (This is dependent on your DNS management, some changes might take longer.)

The two records you need to add should look like this (you would replace santsys-com, with your domain, and santsys.onmicrosoft.com with whatever your primary domain was):

  • Record 1
    • Host: selector1._domainkey
    • Points To: selector1-santsys-com._domainkey.santsys.onmicrosoft.com
    • TTL: 1-Hour
  • Record 2
    • Host: selector2._domainkey
    • Points To: selector2-santsys-com._domainkey.santsys.onmicrosoft.com
    • TTL: 1-Hour

E-Mail

Once all of that is enabled, you will see DKIM results in you e-mails headers, and in places like GMail you will see Mailed By and Signed By. This verifies that messages sent by you were not modified during transit.

Gmail-More-Info
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=domain.com; s=domain;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to:cc;
        bh=ikbdkJPviUDXufUd5GD2qlZO2ySzldl6bVkyNRrrgzM=;
        b=TkAWARzi53KHwFfKOc3F9P1RBEdtywLr3o6V7++UF/bzXuNiOmXHQuNi0Db/dH4Q7z
          BqKp5R2R1F+l/479YZLBzPfziWnvy0cyoUlS9Qm7OumuPcIzZN1kpOx7SmtpGdh61L6J
          P/12bwzPJmZh1DoIjvbuphokCQS7ajgEcuSvs=

Once all that is setup and working, e-mails you send will be verified. This helps limit things like phishing scams and other sorts of email spam.

Leave a Reply

Your email address will not be published. Required fields are marked *