DomainKeys Identified Mail (DKIM) is an essential security protocol designed to help prevent email spoofing. It allows an organisation to take responsibility for a message that is in transit. The primary purpose of DKIM is to provide a method for validating a domain name identity associated with a message through cryptographic authentication. Integrating DKIM with your Office 365 (now part of Microsoft 365) setup can significantly enhance your organisation’s email security. This blog post provides a comprehensive guide on how to configure DKIM for Office 365, ensuring your email communication remains secure and trusted.
Table of Contents
What is DKIM?
DKIM (DomainKeys Identified Mail) serves as an authentication technique within Office 365, aimed at confirming the sender’s domain authenticity and guaranteeing the email content remains unaltered in transit.
By appending DKIM digital signatures to outgoing emails, the sender enables the recipient servers to ascertain the message’s origin and integrity. This process involves generating a signature using a private key linked to the domain name. Upon receiving a DKIM-signed email, the recipient server employs the public key, accessible through the domain’s DNS records, to authenticate the signature. A valid signature reassures the server that the email genuinely originated from the domain, mitigating the risk of email spoofing.
Additionally, integrating DKIM with DMARC enhances the deliverability of authentic emails, ensuring they land in the recipient’s inbox rather than being flagged as spam or outright rejected by filtering systems.
Why should I configure DKIM Office 365?
Configuring DKIM for Office 365 offers several benefits that are crucial for maintaining the integrity and effectiveness of your organisation’s email communication:
- Enhances Domain Security Against Spoofing and Phishing: DKIM plays a vital role in safeguarding your domain from spoofing and phishing attempts. Spoofing occurs when an unauthorised sender falsely uses your domain to dispatch emails, while phishing involves such senders mimicking reputable entities, like banks or credit card companies, to deceive recipients. By authenticating the sender’s identity through DKIM, these fraudulent activities can be significantly reduced, ensuring that emails are genuinely from their claimed sources.
- Boosts Email Deliverability: The presence of DKIM authentication on your emails can influence their acceptance by recipient servers. Certain servers may decline emails lacking DKIM authentication, considering them potential security threats. Implementing DKIM for Office 365 can, therefore, enhance the probability of your emails reaching their intended destinations without being blocked or filtered out.
- Ensures Compliance with Industry Standards: For organisations operating within sectors that have stringent communication security requirements, such as the financial or healthcare industries, adhering to regulations is imperative. These sectors often mandate the utilisation of DKIM as part of their compliance criteria. Configuring DKIM in Office 365 not only aligns with these regulatory demands but also fortifies email security, showcasing your organisation’s commitment to maintaining high standards of communication integrity.
How to Configure DKIM for Office 365
When using the default .onmicrosoft.com domain or if your organisation operates with only one custom domain, configuring DKIM within Office 365 might not be necessary. In such instances, Microsoft 365 automatically applies its default policy along with a 2048-bit public DKIM key for your domain. This removes the need for manual intervention.
However, the scenario changes if your organisation manages multiple custom domains or plans to implement DMARC (which is highly recommended for bolstering email security). In these cases, setting up DKIM with Office 365 becomes imperative.
Setting up DKIM requires modifying your domain’s DNS records. It’s important to note that these DNS modifications may not be immediate. The changes could take anywhere from a few minutes up to 24 hours to be fully processed and recognized across the internet.
Steps to Configure DKIM for Office 365
1. Generate DKIM Keys
Initially, we’ll generate the DKIM keys via the Microsoft 365 security center. Despite all keys following the same format, this approach simplifies the process of accurately copying and pasting the necessary DNS record values.
If the “Create DKIM Keys” option is not visible, proceed to the following step.
- Go to security.microsoft.com/dkimv2 and sign in.
- Choose the domain used for sending emails.
- Select the option to “Create DKIM Keys”.
2. Copy the Keys
Each of the DKIM Keys follows a consistent format. In the given example, substitute ‘contoso-com’ with your specific domain name, and replace ‘contoso.onmicrosoft.com’ with your own ‘onmicrosoft.com’ domain.
Name: selector1._domainkey
Value: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
Name: selector2._domainkey
Value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com
3. Go to your DNS hosting provider and sign-in
We can now create necessary DNS records.
- Sign in to your DNS hosting provider’s platform.
- Go to the section where you can manage your DNS records.
4. Set Up DKIM Records
We’ll have to establish two CNAME records.
- Add a new DNS Record.
- Choose the record type as CNAME.
- Input the name and value corresponding to the first DKIM key.
For the second DKIM record, follow the same steps but modify the sequence number from 1 to 2 in the record’s name.
5. Enable DKIM
Now, we might have to wait a bit – from a few minutes to 24 hours – because different DNS hosting providers take varying amounts of time to update DNS records.
Next, head over to the Security Admin Center to activate DKIM for your domain:
- Choose your domain.
- Turn on the option to “Sign messages for this domain with DKIM signatures.”
If there’s an error message saying the CNAME records can’t be found, just give it more time. Usually, everything should be in order after 24 hours. If the error persists even then, it’s a good idea to double-check the names and values of your CNAME records.
Check DKIM Records for Office 365
It’s smart to double-check your DNS record setup. You can get help with this from Microsoft in the Admin center.
- Visit the DKIM Test page
- Enter your domain name
- Click on “Run Tests” to proceed.
The test will be completed in just a few seconds. Once it’s successful, you’ll see the following result for your domain displayed:
Protecting Domains that don’t send mail
Even if you have domains or subdomains that aren’t used for sending emails, it’s wise to secure them too. It might seem odd, but attackers can still use these for spoofing and phishing.
You can prevent this by setting up a DNS TXT record. This tells email systems that any mail coming from this domain isn’t valid and should be rejected.
For this purpose, you can create a TXT record like this:
– Name: *._domainkey.non-mail-domain.com
– Value: v=DKIM1; p=
Using PowerShell to Create and Enable DKIM
If you have to set up DKIM for many domains in your tenant, using PowerShell can make things easier. PowerShell lets you make the DKIM records for all your domains at once. After you’ve added the CNAME records, you can then turn on DKIM for each domain using PowerShell. This way, you save time and effort.
Ensure you are connected to Exchange Online.
# Connect to Exchange Online connect-exchangeonline -userprincipalname admin@contoso.com # Get all domains in your tenant and create DKIM records Get-AcceptedDomain | ForEach-Object { Write-Host $_.Name -ForegroundColor Cyan Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME }
You can also output it to a file:
$file = "c:\temp\dkim.txt" Get-AcceptedDomain | ForEach-Object { $_.Name | Out-File $file -Append Get-DkimSigningConfig -Identity $_.Name | fl Selector1CNAME, Selector2CNAME | Out-File $file -Append }
Next, you’ll need to set up the CNAME records. Once that’s completed and you’ve allowed enough time for the changes to take effect, you can activate DKIM in Office 365 using the PowerShell script provided below:
# Connect to Exchange Online connect-exchangeonline -userprincipalname admin@contoso.com # Enable DKIM for each domain Get-AcceptedDomain | ForEach-Object { Write-Host "Enabling DKIM for $_" -ForegroundColor Cyan Set-DkimSigningConfig -Identity $_.Name -Enabled $true }
Conclusion
Configuring DKIM for your Office 365 domain is a critical step towards securing your email infrastructure and improving your organisation’s email deliverability and reputation. By following the detailed steps outlined in this guide, you can effectively implement DKIM, providing a layer of authentication that helps protect your domain against email spoofing and phishing attacks. Remember, email security is an ongoing process, and regularly reviewing and updating your configurations as needed is essential for maintaining the integrity of your email communications.