question

HenrikBrown-7684 avatar image
0 Votes"
HenrikBrown-7684 asked AndyDavid commented

Adding standard Office365 DKIM

Hi

My main domain does not have standard office365 DKIM records in place.

I am going to add these and then sign them via the office 365 portal

The following DKIM records will be added to our external DNS

selector1._domainkey CNAME selector1-ourdomain-co-uk._domainkey.ourmaintenant.onmicrosoft.com
​​selector2._domainkey CNAME selector2- ourdomain-co-uk._domainkey.ourmaintenant.onmicrosoft.com

My question is would this have any negative impact on our mail flow? Or is this purely a security thing that is required to stop spoofing etc from our domain?

office-exchange-server-administrationoffice-exchange-server-mailflow
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KaelYao-MSFT avatar image
0 Votes"
KaelYao-MSFT answered KaelYao-MSFT commented

Hi @HenrikBrown-7684

To my understanding, the two CNAME records are using to locate and retrieve the public key to decode the DKIM signature in the message headers.

This step should be completed before you enable DKIM signing for your custom domain, which uses a private key to insert an encrypted signature into the message headers.
Thus it shouldn't have any impact on the mail flow.

Following these two steps is how you set up DKIM, which would help with preventing spoofing from your domain:
Publish two CNAME records for your custom domain in DNS
To enable DKIM signing for your custom domain in the Microsoft 365 Defender portal


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @HenrikBrown-7684

Do suggestions above help?
If you have any questions or needed further help on this issue, please feel free to post back.

0 Votes 0 ·
HenrikBrown-7684 avatar image
0 Votes"
HenrikBrown-7684 answered

Hi


How would this affect any mailers we have in place at the moment?

For example we use Sengrid and emails go out from them as our domain. These are spoofed.

I guess that will not be affected as the messages are coming out from Sengrids domain and not ours?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered HenrikBrown-7684 commented

The send grid emails will not be affected since they are not actually sent though your tenant.
Only messages sent though 365 will get a DKIM stamp.

However, if send grid messages ( and any other 3rd party mailers) are sending as your domain and stamping a DKIM signature as your domain and you dont have CNAME set up for those messages in your external DNS , those messages will fail DKIM. ( The would be doing that before as well if that was case)

Make sense?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Andy

That make sense but as you indicate messages that mailers are sending and stamping as our domain will already be failing DKIM anyway if we don't have the mailer specific CNAME records in DNS.

So in that when we go ahead and add these two standard cname dkimn records nothing really changers?

I.e. no visible user impact?

0 Votes 0 ·
AndyDavid avatar image
1 Vote"
AndyDavid answered AndyDavid commented

Correct, no user impact. If anything, it will improve deliverability for messages sent from 365

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks again Andy

0 Votes 0 ·

Hi @HenrikBrown-7684

Do you have any other questions?

0 Votes 0 ·

Hi, sure, np. Please mark an answer as accepted so this can be closed. Thanks!

0 Votes 0 ·