question

JasonLeidy-9673 avatar image
0 Votes"
JasonLeidy-9673 asked AndyDavid commented

DKIM Confusion

I am noticing the following when I look at the message headers sent from our O365 mailboxes - "dkim=permerror (no key for signature)". However, when I do a DKIM check on various web sites (mxtoolbox.com for example) I get green checks for everything. Our SPF passes too. So, I can't tell if this is something to be concerned about. When we send email externally it goes from O365 (Exchange Online) down to our spam filter appliance and then out to the world. We don't have DKIM setup on our spam appliance, so we are using DKIM in O365. I don't know if I should disable DKIM in O365 and enable it on our spam appliance since that is the last thing that our email passes through or have it enabled in both places (O365 and appliance). I've heard that doing it that way can cause problems even that it is supported.

office-exchange-server-mailflow
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid commented

It should be enabled on the sending server to external domains ( it doesnt really hurt if you leave enabled in 365) So in your case, it should be enabled on the spam filter and your DNS records should reflect the correct the correct selector used in the SPAM appliance.

Receiving servers are checking the signature against the server that sent the message - i.e. the Spam Appliance, so DKIM needs to be enabled there.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the quick response (I was just reading a post by you on another forum when you replied). Do you know if we can leave our 2 existing selectors published in DNS (they are CNAME recordss that reference companyname365.onmicrosoft.com)? Our appliance will use TXT records.

0 Votes 0 ·

Yep, you can leave. The nice thing is if you ever decide to bypass the SPAM appliance and send directly from 365, you are all set, so I would not remove the existing DNS entries.

0 Votes 0 ·

Last question on this. Do you know if we would need to disable DKIM in O365 for our domain, right now it is enabled for our domain....along with the default 365.onmicrosoft.com? I have a ticket open with Microsoft about this but not sure if they will give direction since we are using an appliance as opposed to sending right out of O365.

0 Votes 0 ·
Show more comments