Table of Contents

  1. Introduction
  2. What is DKIM?
  3. Enabling DKIM for a custom domain
  4. Step 1: Publish two CNAME records for your custom domain
  5. Step 2: Enable DKIM signing for your custom domain in Office 365
  6. Conclusion

Introduction

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

What is DKIM?

DomainKeys Identified Mail is an email authentication method designed to detect forged sender addresses in email, a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.

DKIM (DomainKeys Identified Mail) is an email security standard designed to make sure messages aren’t altered in transit between the sending and recipient servers. It uses public-key cryptography to sign an email with a private key as it leaves a sending server. Recipient servers then use a public key published to a domain’s DNS to verify the source of the message, and that the body of the message hasn’t changed during transit. Once the signature is verified with the public key by the recipient server, the message passes DKIM and is considered authentic.

Office 365 usually setup SPF and DKIM records for your initial domain, when you sign up for the Office 365 service. But it is not the case when you want to add the domain to use the Office 365 service. Administrators need to enable the DKIM service manually, and hence along with the SPF record for the newly added domain, administrators can set up the domain for safe mail delivery.

Download Banner

Enabling DKIM for a custom domain

Enabling DKIM for a custom domain can be accomplished in two steps. They are :

  1. Publish two CNAME records for your custom domain in DNS
  2. Enable DKIM signing for your custom domain in Office 365

In our case, we are adding a custom domain vembudesk.com in Office 365 and enabling the DKIM for the custom domain vembudesk.com in Office 365 security and compliance center.

Step 1: Publish two CNAME records for your custom domain

For each custom domain, you need to create two CNAME records in your domain registrar DNS. The below entry shows these two records to be added to your DNS

Hostname: selector1._domainkey
Points to address or value: selector1-< domainGUID >._domainkey.< initialDomain >
TTL: 3600

Hostname: selector2._domainkey
Points to address or value: selector2-< domainGUID >._domainkey.< initialDomain >
TTL: 3600

Where:

For Microsoft 365, the selectors will always be “selector1” or “selector2”.

Domain GUID is the same as the domain GUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain vembudesk.com, the domain GUID is vembudesk-com:

vembudesk.com. 3600 IN MX 5 vembudesk-com.mail.protection.outlook.com

The initial domain is the domain that you used when you signed up for Microsoft 365. Initial domains always end in onmicrosoft.com. In our case the initial domain name is vembu.onmicrosoft.com.

So, the DNS CNAME record will be,

Hostname: selector1._domainkey
Points to address or value: selector1-vembudesk-com._domainkey.vembu.onmicrosoft.com
TTL: 3600

Hostname: selector2._domainkey
Points to address or value: selector2-vembudesk-com._domainkey.vembu.onmicrosoft.com
TTL: 3600

The below screenshot shows these entries in our domain registrar DNS

DKIM


Step 2: Enable DKIM signing for your custom domain in Office 365

By default, DKIM signing for your custom domain is not enabled automatically when you add the custom domain in Office 365 Admin Center → Settings → Domains. Users can verify the DKIM status for each domain in the Office 365 protection center. Or can visit the below URL directly to verify your DKIM status for the custom domain you added.

https://protection.office.com/dkimv2

DomainKeys Identified Mail (DKIM) – Security & Compliance (office.com)

And your added domains are listed, as shown below

Custom Domain

On clicking the newly added domain, Initially, you will get the message that “ No DKIM keys saved for this domain” After adding the above two CNAME records, you can enable the DKIM using Powershell as shown below.

  1. First login to your Office 365 account in the PowerShell using the command

    2. Connect-ExchangeOnline -UserPrincipalName

    The below screenshot shows this command, and this will open a password dialog box as shown below, put the password and click sign in

    DKIM signing configuration

  2. Run the below command to enable the DKIM signing configuration for the domain

“New-DkimSigningConfig -DomainName vembudesk.com -Enabled $true” ,

this will enable the DKIM configuration button and you can verify in the Office 365 Security and Compliance portal as shown below.

Rotate DKIM keys

To Confirm DKIM signing is configured properly for Office 365

Wait a few minutes before you follow these steps to confirm that you have properly configured DKIM. This allows time for the DKIM information about the domain to be spread throughout the network.

Send a message from an account within your Office 365 DKIM-enabled domain to another email account such as Gmail. In our example, we have sent a test mail from an Office 365 mailbox “mailbox11@vembudesk.com to a GSuite account.

Open the message and look at the header. Instructions for viewing the header for the message will vary depending on your messaging client. The DKIM-signed message will contain the hostname and domain you defined when you published the CNAME entries. The message will look something like this example:

ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@vembudesk.com header.s=selector2 header.b=X4j33OHN;
arc=pass (i=1 spf=pass spfdomain=vembudesk.com dkim=pass dkdomain=vembudesk.com dmarc=pass fromdomain=vembudesk.com);
spf=pass (google.com: domain of mailbox11@vembudesk.com designates 40.107.131.91 as permitted sender) smtp.mailfrom=mailbox11@vembudesk.com;

This header information shows the receiver email is a Gmail account. In the above example, you may see the information such as “dkim=pass and header.s=selector2” denoting the DKIM signature is passed, and we can conclude that DKIM records are properly configured.

Conclusion

DKIM discourages spammers from spoofing and protects recipients from phishing attacks. In turn, it improves email deliverability and strengthens stakeholder trust. Without authentication, messages are either marked as spam or not delivered to intended recipients, causing the company to lose business. So as an administrator, it is important to configure SPF, DKIM, and DMARC records for your domain, after adding to the Office 365 service immediately to avoid email spoofing and phishing attacks.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post