question

MicMac-6638 avatar image
0 Votes"
MicMac-6638 asked ·

DKIM for Exchange Hybrid Setup

Hi,

We have an Exchange Hybrid setup: one server on our premises and one office 365. O365 is the front server (receiving all inbounds emails) and relaying them, if applicable, to the on-premise server. Outbound emails from our server are ALL relayed by O365 to external recipients.

I am not sure about the right thing to do with the DKIM key.

When we initially installed our server, we added a public TXT entry (dkim._domainkey) to the domain DNS with the DKIM key provided by our server.

But after the Exchange Hybrid is now setup (with Split Domain Routing) I wonder what I should do:
1) keep the initial TXT entry with the DKIM key provided by our server as it is
2) delete the TXT entry with the DKIM key provided by our server and add O365 DKIM keys (done by adding two additional CNAME entires according to that page https://docs.mailshake.com/article/222-dns-record-microsoft). Also, deactivate DKIM marking by our server (as it would be entirely handled by O365)
3) or keep 1) and add 2), meaning that there will be 3 entries for DKIM in the DNS (one from our server and 2 from Microsoft)
4) something else

This page https://docs.microsoft.com/en-us/answers/questions/117045/office365-dkim-and-email-relay-server.html tends to make me think the answer is 2) but unsure

It would be great if someone could advise me.


office-exchange-hybrid-itpro
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

You need DKIM enabled for the system that is sending mail externally.
If all your outbound mail goes out through 365, enable DKIM there and disable anything else.

So the answer is.... 2 :)

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide#steps-you-need-to-do-to-manually-set-up-dkim

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KyleXu-MSFT avatar image
0 Votes"
KyleXu-MSFT answered ·

@MicMac-6638

As AndyDavid said, enable DKIM for your local domain on Office 365. The mail flow between your Exchange on-premises and Exchange online are trusted which don't need to additional configuration.

Here are article about enable DKIM for each custom domain in your tenant.
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 14 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you both for your answers.

I will read the article provided.

The on premise email server is not Exchange, it is linux-based. Does it change your answer?

0 Votes 0 ·

no, its not about what type of server its the architecture :)

DKIM should be configured only on the 365 end if that is where all the outbound mail goes through.

1 Vote 1 ·

Thanks you so much, the DKIM test passed THROUGH O365.

But, mail-tester says the following:

-0.1 DKIM_SIGNED

Message has a DKIM or DK signature, not necessarily valid
This rule is automatically applied if your email contains a DKIM signature but other positive rules will also be added if your DKIM signature is valid. See immediately below.

0 Votes 0 ·
Show more comments