DKIM for Exchange Hybrid Setup

Question

question

MicMac-6638 asked · Mar 09 at 01:04 PM

DKIM for Exchange Hybrid Setup

Hi,

We have an Exchange Hybrid setup: one server on our premises and one office 365. O365 is the front server (receiving all inbounds emails) and relaying them, if applicable, to the on-premise server. Outbound emails from our server are ALL relayed by O365 to external recipients.

I am not sure about the right thing to do with the DKIM key.

When we initially installed our server, we added a public TXT entry (dkim._domainkey) to the domain DNS with the DKIM key provided by our server.

But after the Exchange Hybrid is now setup (with Split Domain Routing) I wonder what I should do:
1) keep the initial TXT entry with the DKIM key provided by our server as it is
2) delete the TXT entry with the DKIM key provided by our server and add O365 DKIM keys (done by adding two additional CNAME entires according to that page https://docs.mailshake.com/article/222-dns-record-microsoft). Also, deactivate DKIM marking by our server (as it would be entirely handled by O365)
3) or keep 1) and add 2), meaning that there will be 3 entries for DKIM in the DNS (one from our server and 2 from Microsoft)
4) something else

This page https://docs.microsoft.com/en-us/answers/questions/117045/office365-dkim-and-email-relay-server.html tends to make me think the answer is 2) but unsure

It would be great if someone could advise me.

office-exchange-hybrid-itpro

10 |1000 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2021-03-09T13:07:37.027Z

AndyDavid answered · Mar 09 at 01:07 PM

You need DKIM enabled for the system that is sending mail externally.
If all your outbound mail goes out through 365, enable DKIM there and disable anything else.

So the answer is.... 2 :)

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide#steps-you-need-to-do-to-manually-set-up-dkim

·

10 |1000 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2021-03-10T07:29:08.02Z

KyleXu-MSFT answered · Mar 10 at 07:29 AM

@MicMac-6638

As AndyDavid said, enable DKIM for your local domain on Office 365. The mail flow between your Exchange on-premises and Exchange online are trusted which don't need to additional configuration.

Here are article about enable DKIM for each custom domain in your tenant.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 14 ·

10 |1000 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MicMac-6638 · Mar 10 at 10:22 AM

Thank you both for your answers.

I will read the article provided.

The on premise email server is not Exchange, it is linux-based. Does it change your answer?

0 ·

AndyDavid MicMac-6638 · Mar 10 at 12:12 PM

no, its not about what type of server its the architecture :)

DKIM should be configured only on the 365 end if that is where all the outbound mail goes through.

1 ·

MicMac-6638 AndyDavid · Mar 10 at 04:49 PM

Thanks you so much, the DKIM test passed THROUGH O365.

But, mail-tester says the following:

-0.1 DKIM_SIGNED

Message has a DKIM or DK signature, not necessarily valid
This rule is automatically applied if your email contains a DKIM signature but other positive rules will also be added if your DKIM signature is valid. See immediately below.

0 ·

Show more comments

question