Authenticate Your Email with DKIM: Office 365 DKIM Setup Guide
Estimated reading time: 7 minutes
A lot of the cyberattacks begin with a phishing email. This emphasizes how crucial email security is. Brands sending email communications to their clients, email subscribers or prospects need to ensure that the emails haven’t been altered in transit.
DKIM, or DomainKeys Identified Mail, is one of the best security protocols helping to protect a domain from these attacks. By verifying that an email actually comes from the domain it claims to be from, DKIM helps prevent email spoofing, a popular strategy employed by fraudsters.
This step-by-step guide will walk you through the process of how to enable DKIM in Office 365, verify the validity of the DKIM record, and conduct an ongoing monitoring of DKIM authentication for your emails.
Why is DKIM Important?
The implementation of DKIM email authentication is beneficial for both senders and receivers.
For senders, DKIM improves deliverability by assuring email servers that messages come genuinely from the specified sender and not a potential spam source, and ensuring messages consistently reach their destinations without being mistakenly flagged as spam.
For receivers, DKIM significantly strengthens email security by reducing the risk of receiving fraudulent emails. This dual advantage is essential for maintaining the integrity and reliability of email as a communication medium in today’s digital landscape.
How Does DKIM Work?
DKIM uses a private-public key cryptography to authenticate an email. A private key is stored on the sending server and a public key is stored in a domain’s DNS as a DKIM TXT record. The message undergoes these stages to be verified by DKIM:
1. Creating DKIM Signature.
The message is signed with a signature as it leaves the server. The signature is a hash created from various parts of the message. The sender indicates which parts to use for the signature when setting up DKIM. The hash is then encrypted with the private key and added to the message’s headers.
2. Verifying Authenticity.
When the message reaches the destination server, the recipient’s server finds the public key stored in the domain’s DNS and decrypts the hash into its original format. Also the recipient’s server creates its own hash using the same message components. Then it matches the two hashes to verify if the parts of the message included in the DKIM signature have been altered.
3. Returning DKIM Authentication Result.
If both strings are the same, the email passes DKIM authentication. Even if a single character in any part of the message used to create the signature has changed, the hash created by the receiving server will differ from the one created by the sender’s server. The message is then considered as failing DKIM authentication. This result is then passed to the recipient’s ISP, influencing how the email is treated – delivered in the inbox or filtered out as potential spam.
Why Configure a Custom Domain for DKIM Signing?
It is to note that if you use only the Microsoft Online Email Routing Address (MOERA) domain for outgoing emails (for example, yourdomain.onmicrosoft.com), you don’t need to do anything to setup DKIM in Office 365.
Microsoft automatically creates a public-private key pair from your initial *.onmicrosoft.com domain and signs outbound messages with DKIM using the private key.
However, it’s highly advised to configure a custom domain or subdomain for DKIM in order outbound emails are DKIM signed by the domain used in the “From” address. It is important for ensuring the messages pass DMARC authentication. The message passes DMARC based on DKIM only if the domain that signed the message by DKIM and the domain in the “From” address align.
Requirements for Setting up DKIM in Office 365
In order you can setup DKIM in Office 365 to sign emails by your custom domain, you need to ensure that the following conditions are met:
- Administrator access: to enable DKIM in Office 365, you need to have administrative permissions in your Office 365 account.
- Domain authentication: ensure that you added and authenticated your domain in Office 365. This involves associating the domain with your Office 365 account and enabling it for sending and receiving emails.
- Domain properties: the custom domain or subdomain must appear on the DKIM tab of Email authentication settings and must have the following properties:
The “Sign messages for this domain with DKIM signatures” is set to Disabled.
The Status shows “Not signing DKIM signatures for the domain.”
The “Rotate DKIM keys” button is grayed out.
- DNS access: you need to change the domain’s DNS records in order to turn on DKIM in Office 365.
How to Setup DKIM in Office 365
To configure DKIM for Office 365 in order to sign outbound emails by your custom domain and pass DKIM alignment, follow this detailed guide:
Step 1: Create DKIM Keys.
Start by logging to the Defender portal and navigate to Email & collaboration > Policies & rules > Threat policies > Email authentication settings. Or, go directly to the Email authentication settings page.
In the Email authentication settings, click on the DKIM tab and then click on a custom domain to configure DKIM.
Select the “Sign messages for this domain with DKIM signatures” toggle that’s set to Disabled.
A dialog with the values for the two CNAME records opens. An example of what they usually look like is below:
Record 1 for DKIM Selector 1:
Host name: selector1._domainkey.yourdomain.com
Value: selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Record 2 for DKIM Selector 2:
Host name: selector2._domainkey.yourdomain.com
Value: selector2-yourdomain-com._domainkey.yourdomain.onmicrosoft.com
Step 2: Publish CNAME Records in DNS.
In a new tab in the browser, login to your DNS management console, select the domain for which you want to set up DKIM and add two CNAME records with the generated host names and values. It can take 24-48 hours for DNS changes to propagate fully.
Step 3: Turn on DKIM Signing in Office 365.
After you ensure that the newly added DNS records have propagated, go to the DKIM settings, open the custom domain properties, and select the “Sign messages for this domain with DKIM signatures” toggle.
Click OK to close the dialog that opens when you try to enable DKIM signing for the custom domain.
Verify the following properties for the domain:
The Sign messages for this domain with DKIM signatures toggle is set to Enabled.
The Status value is “Signing DKIM signatures for this domain.”
The “Rotate DKIM keys” button is active.
Click “Close” to close the domain properties.
How to Verify DKIM Configuration
To test if your emails are being signed with DKIM properly, you can use the tools available at GlockApps email deliverability service. Here is what you can get from GlockApps:
1. Email Deliverability Testing.
The seed-based email tests provide detailed information about your sending environment including the IP reputation, domain reputation, and email authentication (SPF and DKIM), and email placement across different ISPs.
2. DMARC Analytics.
After generating and publishing a DMARC record, you’ll receive in-depth reports about your email traffic, sending sources, and email authentication outcomes (SPF, DKIM, DMARC). You’ll instantly see if DKIM fails and why.
3. DKIM Record Monitoring.
Create uptime monitors for DKIM records to have them tested automatically 24/7 to ensure your outgoing email campaigns are properly signed with DKIM.
4. DKIM Validator.
Using this diagnostic tool, you can manually verify a DKIM record for a domain. You need to know the DKIM selector used for the record to be able to perform such a test.
Setting up DKIM in Office 365 is super important for protecting your email communications. DKIM helps confirm that the emails sent from your domain are legitimate and authentic and allows to lower the likelihood that they will be categorized as spam. Therefore, it’s crucial to have DKIM signing for the outgoing emails enabled and DKIM records published. If you encounter DKIM authentication failures, there may be various reasons behind those failures that need different approaches. Here you can read more about why DKIM fails and how to fix it.