DKIM in Office 365

Microsoft has implemented DKIM, DMARC and SPF in Exchange Online, the only thing you have to do is enable it. The only thing for DKIM you have to do is create two CNAME records in DNS and enable DKIM in the Exchange Admin Center.

DKIM CNAME records

The CNAME records you have to create for DKIM look like this:

selector1._domainkey.contoso.com
selector2._domainkey.contoso.com

Selector1 and selector 2 are the 2 selector tags (in Office 365 these will always be selector1 and selector2), the _domainkey is a default tag that will be added. Of course you have to replace the contoso.com with your own domain.

The CNAME records have to point to the following locations:

selector1-contoso-com._domainkey.contoso.onmicrosoft.com
selector2-contoso-com._domainkey.contoso.onmicrosoft.com

the ‘contoso-com’ (also referred to as DomainGUID) is the same as your MX record so you can copy-and-paste it from there. The ‘contoso.onmicrosoft.com’ is your Office 365 tenant name.

So, for my exchangelabs.nl environment (tenant name is exchangelabsnl.onmicrosoft.com) this will be

Selector1._domainkey.exchangelabs.nl CNAME selector1-exchangelabs-nl._domainkey.exchangelabsnl.onmicrosoft.com

And

Selector2._domainkey.exchangelabs.nl CNAME selector2-exchangelabs-nl._domainkey.exchangelabsnl.onmicrosoft.com

You can use the MXTOOLBOX site to check your DKIM selector records:

image

The second step is to enable DKIM in the Exchange Admin Center. In the Exchange Admin Center select Protection and select the dkim tab. Select the domain you want to enable DKIM for and in the action pane click on Enable:

image

All information is stored in Office 365 so there’s no need to create a keypair and store the public key in DNS, everything is handled by Microsoft. Sweet Smile

For more information you can check the Use DKIM to validate outbound email sent from your custom domain in Office 365 article on Microsoft Technet

2 thoughts on “DKIM in Office 365”

    1. Yes, this specific example applies to EXO only. If you have a hybrid configuration with mailboxen on-premises and in EXO you will have two break-out points. Mail will be sent from EXO and from Exchange on-premises. If so you have to enable DKIM on both sides, with different selectors. Make sure your SPF record contains both environment as well.

      Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s