DKIM for Exchange Hybrid Setup

MicMac 21 Reputation points
2021-03-09T13:04:43.287+00:00

Hi,

We have an Exchange Hybrid setup: one server on our premises and one office 365. O365 is the front server (receiving all inbounds emails) and relaying them, if applicable, to the on-premise server. Outbound emails from our server are ALL relayed by O365 to external recipients.

I am not sure about the right thing to do with the DKIM key.

When we initially installed our server, we added a public TXT entry (dkim._domainkey) to the domain DNS with the DKIM key provided by our server.

But after the Exchange Hybrid is now setup (with Split Domain Routing) I wonder what I should do:

  1. keep the initial TXT entry with the DKIM key provided by our server as it is
  2. delete the TXT entry with the DKIM key provided by our server and add O365 DKIM keys (done by adding two additional CNAME entires according to that page https://docs.mailshake.com/article/222-dns-record-microsoft). Also, deactivate DKIM marking by our server (as it would be entirely handled by O365)
  3. or keep 1) and add 2), meaning that there will be 3 entries for DKIM in the DNS (one from our server and 2 from Microsoft)
  4. something else

This page https://learn.microsoft.com/en-us/answers/questions/117045/office365-dkim-and-email-relay-server.html tends to make me think the answer is 2) but unsure

It would be great if someone could advise me.

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,896 questions
0 comments
Accepted answer
  1. Andy David - MVP 142.2K Reputation points MVP
    2021-03-09T13:07:37.027+00:00

    You need DKIM enabled for the system that is sending mail externally.
    If all your outbound mail goes out through 365, enable DKIM there and disable anything else.

    So the answer is.... 2 :)

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide#steps-you-need-to-do-to-manually-set-up-dkim

    2 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KyleXu-MSFT 26,211 Reputation points
    2021-03-10T07:29:08.02+00:00

    @MicMac

    As AndyDavid said, enable DKIM for your local domain on Office 365. The mail flow between your Exchange on-premises and Exchange online are trusted which don't need to additional configuration.

    Here are article about enable DKIM for each custom domain in your tenant.
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.