使用 DKIM 验证从自定义域发送的出站电子邮件Use DKIM to validate outbound email sent from your custom domain

重要

欢迎使用 Microsoft Defender for Office 365 ,这是 Office 365 高级威胁防护 的新名称。Welcome to Microsoft Defender for Office 365 , the new name for Office 365 Advanced Threat Protection. 有关此内容和其他更新的详细信息,请参阅 Microsoft 提供统一的 SIEM 和 XDR 以实现安全操作现代化Read more about this and other updates in Microsoft delivers unified SIEM and XDR to modernize security operations.

摘要: 本文介绍了如何结合使用域密钥识别邮件 (DKIM) 和 Microsoft 365,以确保目标电子邮件系统信任从自定义域发送的出站邮件。Summary: This article describes how you use DomainKeys Identified Mail (DKIM) with Microsoft 365 to ensure that destination email systems trust messages sent outbound from your custom domain.

除了使用 SPF 和 DMARC 之外,还应使用 DKIM 来帮助防止欺骗程序发送看上去发送自您的域的邮件。You should use DKIM in addition to SPF and DMARC to help prevent spoofers from sending messages that look like they are coming from your domain. 可以使用 DKIM 将数字签名添加到出站电子邮件的邮件头中。DKIM lets you add a digital signature to outbound email messages in the message header. 这听起来这很复杂,其实不然。It may sound complicated, but it's really not. 配置 DKIM 时,您将使用加密身份验证授权您的域关联到电子邮件或对电子邮件进行签名。When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message by using cryptographic authentication. 接收来自域的电子邮件的电子邮件系统可以使用此数字签名来帮助确定他们收到的传入电子邮件是否合法。Email systems that receive email from your domain can use this digital signature to help determine if incoming email that they receive is legitimate.

基本上,您可以使用私钥来加密域的传出电子邮件中的邮件头。Basically, you use a private key to encrypt the header in your domain's outgoing email. 向域 DNS 记录发布公钥,然后接收服务器可用来解码签名。You publish a public key to your domain's DNS records that receiving servers can then use to decode the signature. 它们使用公钥来确认邮件确实是你发送的,而不是其他人 假冒 你的域发送的。They use the public key to verify that the messages are really coming from you and not coming from someone spoofing your domain.

Microsoft 365 自动为它的初始“onmicrosoft.com”域设置 DKIM。Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains. 这意味着无需执行任何操作,即可为任意初始域名(例如 litware.onmicrosoft.com)。That means you don't need to do anything to set up DKIM for any initial domain names (for example, litware.onmicrosoft.com). 有关域的详细信息,请参阅关于域的常见问题For more information about domains, see Domains FAQ.

你也可以选择对自己的自定义域不执行任何有关 DKIM 的操作。You can choose to do nothing about DKIM for your custom domain too. 如果你没有为自定义域设置 DKIM,Microsoft 365 会创建私钥和公钥对,启用 DKIM 签名,然后为自定义域配置 Microsoft 365 默认策略。If you don't set up DKIM for your custom domain, Microsoft 365 creates a private and public key pair, enables DKIM signing, and then configures the Microsoft 365 default policy for your custom domain. 虽然这对于大多数客户来说已经足够了,但仍应在以下情况下为自定义域手动配置 DKIM:While this is sufficient coverage for most customers, you should manually configure DKIM for your custom domain in the following circumstances:

  • 在 Microsoft 365 中有多个自定义域You have more than one custom domain in Microsoft 365

  • 您同时要设置 DMARC(推荐)You're going to set up DMARC too (recommended)

  • 您想要控制您的私钥You want control over your private key

  • 您要自定义 CNAME 记录You want to customize your CNAME records

  • 你想为源自第三方域的电子邮件设置 DKIM 密钥,例如,如果你使用第三方群发邮件程序。You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer.

本文内容:In this article:

DKIM 如何能够比单独使用 SPF 更有效地防止恶意欺骗How DKIM works better than SPF alone to prevent malicious spoofing

虽然 SPF 将信息添加到邮件信封中,但实际上是 DKIM 在邮件头中加密签名。当你转发邮件时,转发服务器可能会截除邮件信封部分。由于数字签名作为电子邮件头的一部分与电子邮件同时存在,因此即使当邮件进行了转发,DKIM 也仍在运行,如以下示例所示。SPF adds information to a message envelope but DKIM actually encrypts a signature within the message header. When you forward a message, portions of that message's envelope can be stripped away by the forwarding server. Since the digital signature stays with the email message because it's part of the email header, DKIM works even when a message has been forwarded as shown in the following example.

关系图显示转发邮件在 SPF 检查失败的情况下传递 DKIM 身份验证

在此示例中,如果您只发布了域的一条 SPF TXT 记录,收件人的邮件服务器可能已将您的电子邮件标记为垃圾邮件,并生成一个误报结果。在这种情况下,添加 DKIM 可以减少误报垃圾邮件报告。由于 DKIM 依赖于公钥加密(而不仅仅对 IP 地址加密)进行身份验证,DKIM 被认为是比 SPF 更强大的身份验证形式。建议在部署中同时使用 SPF、DKIM 以及 DMARC。In this example, if you had only published an SPF TXT record for your domain, the recipient's mail server could have marked your email as spam and generated a false positive result. The addition of DKIM in this scenario reduces false positive spam reporting. Because DKIM relies on public key cryptography to authenticate and not just IP addresses, DKIM is considered a much stronger form of authentication than SPF. We recommend using both SPF and DKIM, as well as DMARC in your deployment.

具体功能:DKIM 使用私钥将加密的签名插入邮件头。在邮件头中,将签名域或出站域作为 d = 字段中的值插入。然后,验证域或收件人的域使用 d = 字段从 DNS 中查找公钥,对邮件进行身份验证。如果邮件已经过验证,则 DKIM 检查通过。The nitty gritty: DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the d= field in the header. The verifying domain, or recipient's domain, then use the d= field to look up the public key from DNS and authenticate the message. If the message is verified, the DKIM check passes.

手动将 1024 位密钥升级到 2048 位 DKIM 加密密钥Manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys

由于 DKIM 密钥同时支持 1024 和 2048 位,因此这些说明将告诉你如何将 1024 位密钥升级到 2048 位。Since both 1024 and 2048 bitness are supported for DKIM keys, these directions will tell you how to upgrade your 1024-bit key to 2048. 以下步骤针对的是两种用例,请选择最适合你的配置的步骤。The steps below are for two use-cases, please choose the one that best fits your configuration.

  1. 如果你 已经配置了 DKIM,请按如下所示轮换位数:When you already have DKIM configured, you rotate bitness as follows:

    1. 通过 PowerShell 连接到 Office 365 工作负载Connect to Office 365 workloads via PowerShell. (cmdlet 来自 Exchange Online。)(The cmdlet comes from Exchange Online.)

    2. 运行以下命令:Run the following command:

      Rotate-DkimSigningConfig -KeySize 2048 -Identity {Guid of the existing Signing Config}
      
  2. 或者,对于 新实现的 DKIMOr for a new implementation of DKIM:

    1. 通过 PowerShell 连接到 Office 365 工作负载Connect to Office 365 workloads via PowerShell. (这是 Exchange Online cmdlet。)(This is an Exchange Online cmdlet.)

    2. 运行以下命令:Run the following command:

      New-DkimSigningConfig -DomainName {Domain for which config is to be created} -KeySize 2048 -Enabled $True
      

与 Microsoft 365 保持连接,以 验证 配置。Stay connected to Microsoft 365 to verify the configuration.

  1. 运行以下命令:Run the following command:

    Get-DkimSigningConfig -Identity {Domain for which the configuration was set} | Format-List
    

提示

这一新的 2048 位密钥将在 RotateOnDate 生效,在过渡期间则使用 1024 位密钥发送电子邮件。This new 2048-bit key takes effect on the RotateOnDate, and will send emails with the 1024-bit key in the interim. 四天后,可以使用 2048 位秘钥再次进行测试(即一旦轮换对第二个选择器生效)。After four days, you can test again with the 2048-bit key (that is, once the rotation takes effect to the second selector).

若要轮换到第二个选择器,可以采用下列方法:a) 让 Microsoft 365 服务轮换选择器,并在未来 6 个月内升级到 2048 位,或 b) 在确认使用 2048 位 4 天后,使用上面列出的相应 cmdlet 手动轮换第二个选择器密钥。If you want to rotate to the second selector, your options are a) let the Microsoft 365 service rotate the selector and upgrade to 2048-bitness within the next 6 months, or b) after 4 days and confirming that 2048-bitness is in use, manually rotate the second selector key by using the appropriate cmdlet listed above.

手动设置 DKIM 需要执行的步骤Steps you need to do to manually set up DKIM

要配置 DKIM,您需要完成以下步骤:To configure DKIM, you will complete these steps:

在 DNS 中发布自定义域的两条 CNAME 记录Publish two CNAME records for your custom domain in DNS

对于您要为其在 DNS 中添加 DKIM 签名的每个域,您需要发布两条 CNAME 记录。For each domain for which you want to add a DKIM signature in DNS, you need to publish two CNAME records.

运行以下命令以创建选择器目录:Run the following commands to create the selector records:

New-DkimSigningConfig -DomainName <domain> -Enabled $false
Get-DkimSigningConfig -Identity <domain> | Format-List Selector1CNAME, Selector2CNAME

如果在 Microsoft 365 中除了初始域外你还预配了自定义域,必须为每个附加域发布两条 CNAME 记录。If you have provisioned custom domains in addition to the initial domain in Microsoft 365, you must publish two CNAME records for each additional domain. 因此,如果你有两个域,就必须发布两条额外的 CNAME 记录,依此类推。So, if you have two domains, you must publish two additional CNAME records, and so on.

CNAME 记录使用以下格式。Use the following format for the CNAME records.

重要

如果你是我们的 GCC High 客户,我们会以不同方式计算 domainGuidIf you are one of our GCC High customers, we calculate domainGuid differently! 不是查找你的 initialDomain 来计算 domainGuid,而是直接从自定义域计算。Instead of looking up the MX record for your initialDomain to calculate domainGuid, instead we calculate it directly from the customized domain. 例如,如果自定义域名为“contoso.com”,则 domainGuid 将变为“contoso-com”,任何句点都将替换为短划线。For example, if your customized domain is "contoso.com" your domainGuid becomes "contoso-com", any periods are replaced with a dash. 因此,无论 initialDomain 指向什么 MX 记录,你都将始终使用上述方法来计算要在 CNAME 记录中使用的 domainGuid。So, regardless of what MX record your initialDomain points to, you'll always use the above method to calculate the domainGuid to use in your CNAME records.

Host name:            selector1._domainkey
Points to address or value:    selector1-<domainGUID>._domainkey.<initialDomain>
TTL:                3600

Host name:            selector2._domainkey
Points to address or value:    selector2-<domainGUID>._domainkey.<initialDomain>
TTL:                3600

其中:Where:

  • 对于 Microsoft 365,选择器始终为“selector1”或“selector2”。For Microsoft 365, the selectors will always be "selector1" or "selector2".

  • domainGUID 与显示在 mail.protection.outlook.com 前面的自定义域的自定义 MX 记录中的 domainGUID 相同。domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. 例如,在域 contoso.com 的以下 MX 记录中,domainGUID 为 contoso com:For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:

    contoso.com。contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com3600 IN MX 5 contoso-com.mail.protection.outlook.com

  • initialDomain 是你在注册 Microsoft 365 时所使用的域。initialDomain is the domain that you used when you signed up for Microsoft 365. 初始域始终以 onmicrosoft.com 结尾。Initial domains always end in onmicrosoft.com. 有关确定初始域的信息,请参阅关于域的常见问题For information about determining your initial domain, see Domains FAQ.

例如,如果你有一个初始域 cohovineyardandwinery.onmicrosoft.com,以及两个自定义域 cohovineyard.com 和 cohowinery.com,那么你需要为额外配置的每个域设置两条 CNAME 记录,总共四条 CNAME 记录。For example, if you have an initial domain of cohovineyardandwinery.onmicrosoft.com, and two custom domains cohovineyard.com and cohowinery.com, you would need to set up two CNAME records for each additional domain, for a total of four CNAME records.

Host name:            selector1._domainkey
Points to address or value:    selector1-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com
TTL:                3600

Host name:            selector2._domainkey
Points to address or value:    selector2-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com
TTL:                3600

Host name:            selector1._domainkey
Points to address or value:    selector1-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com
TTL:                3600

Host name:            selector2._domainkey
Points to address or value:    selector2-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com
TTL:                3600

备注

创建第二条记录非常重要,但创建时仅可使用其中一个选择器。It's important to create the second record, but only one of the selectors may be available at the time of creation. 实际上,第二个选择器可能指向尚未创建的地址。In essence, the second selector might point to an address that hasn't been created yet. 我们仍然建议创建第二条 CNAME 记录,因为你的密钥轮换是无缝的。We still recommended that you create the second CNAME record, because your key rotation will be seamless.

注意

已暂时禁用自动密钥轮换,因为我们会在创建密钥的方式上实施一些设计更改。Automatic key rotation has been temporarily disabled as we implement some design changes in how we create keys. 建议使用多个密钥,以便定期轮换它们。It's a good practice to have multiple keys so that you can rotate them periodically. 尽管很难破解,但这仍然是一种实用的缓解策略,可以防止模拟等行为。Although it's hard to crack, it's still a practical mitigation strategy to protect against things like impersonation. 你可以遵循 Rotate-DkimSigningConfig 文档来帮助你的组织进行此操作。You can follow the Rotate-DkimSigningConfig document to help do this for your organization. 我们预计将在 2020 年 8 月之前再次启用自动轮换。We expect that automatic rotation will be enabled again by August 2020.

为自定义域启用 DKIM 签名Enable DKIM signing for your custom domain

在 DNS 中发布 CNAME 记录后,就可以通过 Microsoft 365 启用 DKIM 签名了。Once you have published the CNAME records in DNS, you are ready to enable DKIM signing through Microsoft 365. 为此,可以使用 Microsoft 365 管理中心或 PowerShell。You can do this either through the Microsoft 365 admin center or by using PowerShell.

使用管理中心为自定义域启用 DKIM 签名的具体步骤To enable DKIM signing for your custom domain through the admin center

  1. 使用工作或学校帐户登录 Microsoft 365Sign in to Microsoft 365 with your work or school account.

  2. 选择左上角的应用启动器图标,然后选择“管理员”。Select the app launcher icon in the upper-left and choose Admin.

  3. 在左下侧导航中,展开“管理”并选择“Exchange”。In the lower-left navigation, expand Admin and choose Exchange.

  4. 依次转到" 保护">" dkim"。Go to Protection > dkim.

  5. 选择要对其启用 DKIM 的域,然后对“对此域的邮件进行 DKIM 签名”选择“启用”。为每个自定义域重复执行这一步。Select the domain for which you want to enable DKIM and then, for Sign messages for this domain with DKIM signatures, choose Enable. Repeat this step for each custom domain.

使用 PowerShell 为自定义域启用 DKIM 签名To enable DKIM signing for your custom domain by using PowerShell

  1. 连接到 Exchange Online PowerShellConnect to Exchange Online PowerShell.

  2. 运行以下命令:Run the following command:

    Set-DkimSigningConfig -Identity <domain> -Enabled $true
    

    其中,domain 是要对其启用 DKIM 签名的自定义域名。Where domain is the name of the custom domain that you want to enable DKIM signing for.

    例如,对于域 contoso.com:For example, for the domain contoso.com:

    Set-DkimSigningConfig -Identity contoso.com -Enabled $true
    

确认是否已为 Microsoft 365 正确配置 DKIM 签名的具体步骤To Confirm DKIM signing is configured properly for Microsoft 365

请等待几分钟,然后按以下步骤操作,确认是否已正确配置 DKIM。这样就有时间将域的 DKIM 信息分布到整个网络了。Wait a few minutes before you follow these steps to confirm that you have properly configured DKIM. This allows time for the DKIM information about the domain to be spread throughout the network.

  • 从 Microsoft 365 中已启用 DKIM 的域内的帐户向其他电子邮件帐户(如 outlook.com 或 Hotmail.com)发送邮件。Send a message from an account within your Microsoft 365 DKIM-enabled domain to another email account such as outlook.com or Hotmail.com.

  • 不要将 aol.com 帐户用于测试目的。如果 SPF 检查通过,AOL 可能会跳过 DKIM 检查。这会使测试无效。Do not use an aol.com account for testing purposes. AOL may skip the DKIM check if the SPF check passes. This will nullify your test.

  • 打开邮件,然后查看邮件头。查看邮件头的说明因邮件客户端而异。有关在 Outlook 中查看邮件头的说明,请参阅在 Outlook 中查看电子邮件头Open the message and look at the header. Instructions for viewing the header for the message will vary depending on your messaging client. For instructions on viewing message headers in Outlook, see View internet message headers in Outlook.

    进行了 DKIM 签名的邮件将包含主机名以及您在发布 CNAME 条目时定义的域。该邮件如下例所示:The DKIM-signed message will contain the host name and domain you defined when you published the CNAME entries. The message will look something like this example:

      From: Example User <example@contoso.com>
      DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
          s=selector1; d=contoso.com; t=1429912795;
          h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
          bh=<body hash>;
          b=<signed field>;
    
  • 查找身份验证结果标头。尽管每个接收服务用于标记传入邮件的格式稍有不同,但结果应都包括以下类似内容:DKIM=passDKIM=OKLook for the Authentication-Results header. While each receiving service uses a slightly different format to stamp the incoming mail, the result should include something like DKIM=pass or DKIM=OK.

为多个自定义域配置 DKIM 的具体步骤To configure DKIM for more than one custom domain

如果你在将来决定添加其他自定义域,并且想要为新域启用 DKIM,必须为每个域完成本文中介绍的步骤。If at some point in the future you decide to add another custom domain and you want to enable DKIM for the new domain, you must complete the steps in this article for each domain. 具体而言,完成手动设置 DKIM 需要执行的操作中的所有步骤。Specifically, complete all steps in What you need to do to manually set up DKIM.

为自定义域禁用 DKIM 签名策略Disabling the DKIM signing policy for a custom domain

禁用签名策略不会完全禁用 DKIM。Disabling the signing policy does not completely disable DKIM. 一段时间后,Microsoft 365 会自动为你的域应用默认策略。After a period of time, Microsoft 365 will automatically apply the default policy for your domain. 有关详细信息,请参阅 DKIM 和 Microsoft 365 的默认行为For more information, see Default behavior for DKIM and Microsoft 365.

使用 Windows PowerShell 禁用 DKIM 签名策略To disable the DKIM signing policy by using Windows PowerShell

  1. 连接到 Exchange Online PowerShellConnect to Exchange Online PowerShell.

  2. 为您要为其禁用 DKIM 签名的每个域运行以下命令之一。Run one of the following commands for each domain for which you want to disable DKIM signing.

    $p = Get-DkimSigningConfig -Identity <domain>
    $p[0] | Set-DkimSigningConfig -Enabled $false
    

    例如:For example:

    $p = Get-DkimSigningConfig -Identity contoso.com
    $p[0] | Set-DkimSigningConfig -Enabled $false
    

    Or

    Set-DkimSigningConfig -Identity $p[<number>].Identity -Enabled $false
    

    其中, number 是策略的索引。Where number is the index of the policy. 例如:For example:

    Set-DkimSigningConfig -Identity $p[0].Identity -Enabled $false
    

DKIM 和 Microsoft 365 的默认行为Default behavior for DKIM and Microsoft 365

如果你不启用 DKIM,Microsoft 365 会自动为你的默认域创建 1024 位 DKIM 公钥,以及我们存储在数据中心内部的关联私钥。If you do not enable DKIM, Microsoft 365 automatically creates a 1024-bit DKIM public key for your default domain and the associated private key which we store internally in our datacenter. 默认情况下,Microsoft 365 对没有适当策略的域使用默认签名配置。By default, Microsoft 365 uses a default signing configuration for domains that do not have a policy in place. 也就是说,如果你自己没有设置 DKIM,Microsoft 365 会使用它的默认策略和它创建的密钥来为你的域启用 DKIM。This means that if you do not set up DKIM yourself, Microsoft 365 will use its default policy and keys it creates to enable DKIM for your domain.

此外,如果你在启用 DKIM 签名后禁用它,一段时间后,Microsoft 365 会自动为你的域应用默认策略。Also, if you disable DKIM signing after enabling it, after a period of time, Microsoft 365 will automatically apply the default policy for your domain.

在以下示例中,假设 fabrikam.com 的 DKIM 是由 Microsoft 365(而不是域管理员)启用。In the following example, suppose that DKIM for fabrikam.com was enabled by Microsoft 365, not by the administrator of the domain. 这表明所需的 CNAME 在 DNS 中不存在。This means that the required CNAMEs do not exist in DNS. 来自此域的电子邮件的 DKIM 签名如下所示:DKIM signatures for email from this domain will look something like this:

From: Second Example <second.example@fabrikam.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    s=selector1-fabrikam-com; d=contoso.onmicrosoft.com; t=1429912795;
    h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
    bh=<body hash>;
    b=<signed field>;

在此示例中,主机名和域包含在 fabrikam.com 的 DKIM 签名由域管理员启用情况下 CNAME 将指向的值。In this example, the host name and domain contain the values to which the CNAME would point if DKIM-signing for fabrikam.com had been enabled by the domain administrator. 最终,每封发送自 Microsoft 365 的邮件都会进行 DKIM 签名。Eventually, every single message sent from Microsoft 365 will be DKIM-signed. 如果您自行启用 DKIM,该域将与发件人地址(此例中为 fabrikam.com)中的域相同。If you enable DKIM yourself, the domain will be the same as the domain in the From: address, in this case fabrikam.com. 如果不自行启用,该域将不同于发件人地址中的域,而是会使用组织的初始域。If you don't, it will not align and instead will use your organization's initial domain. 有关确定初始域的信息,请参阅关于域的常见问题For information about determining your initial domain, see Domains FAQ.

设置 DKIM 以便第三方服务可以代表自定义域发送或假冒电子邮件Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain

一些批量电子邮件服务提供商或服务型软件提供商允许你为来自其服务的电子邮件设置 DKIM 密钥。这需要你自己和第三方之间进行协调,从而设置必要的 DNS 记录。某些第三方服务器可能使用不同的选择器来获取自身的 CNAME 记录。任何两个组织的操作过程都不会完全相同。相反,此过程完全因组织而异。Some bulk email service providers, or software-as-a-service providers, let you set up DKIM keys for email that originates from their service. This requires coordination between yourself and the third-party in order to set up the necessary DNS records. Some third-party servers can have their own CNAME records with different selectors. No two organizations do it exactly the same way. Instead, the process depends entirely on the organization.

显示为 contoso.com 和 bulkemailprovider.com 正确配置了 DKIM 的示例邮件如下所示:An example message showing a properly configured DKIM for contoso.com and bulkemailprovider.com might look like this:

Return-Path: <communication@bulkemailprovider.com>
 From: <sender@contoso.com>
 DKIM-Signature: s=s1024; d=contoso.com
 Subject: Here is a message from Bulk Email Provider's infrastructure, but with a DKIM signature authorized by contoso.com

在此示例中,为了获得该结果:In this example, in order to achieve this result:

  1. 批量电子邮件提供商为 Contoso 提供一个 DKIM 公钥。Bulk Email Provider gave Contoso a public DKIM key.

  2. Contoso 将 DKIM 密钥发布到 DNS 记录。Contoso published the DKIM key to its DNS record.

  3. 发送电子邮件时,批量电子邮件提供商使用相应的私钥对密钥进行签名。这样一来,批量电子邮件提供商可以将 DKIM 签名附加到邮件头中。When sending email, Bulk Email Provider signs the key with the corresponding private key. By doing so, Bulk Email Provider attached the DKIM signature to the message header.

  4. 接收电子邮件系统通过对 From 中的域进行 DKIM-Signature d=<domain> 值验证来执行 DKIM 检查:(5322.From) 邮件的地址。Receiving email systems perform a DKIM check by authenticating the DKIM-Signature d=<domain> value against the domain in the From: (5322.From) address of the message. 在此示例中,值匹配:In this example, the values match:

    sender@contoso.comsender@contoso.com

    d=contoso.comd=contoso.com

确定不发送电子邮件的域Identify domains that do not send email

组织应该通过在这些域的DKIM记录中明确说明 v=DKIM1; p=域是否不发送电子邮件。Organizations should explicitly state if a domain does not send email by specifying v=DKIM1; p= in the DKIM record for those domains. 这将告知接收邮件的服务器,该域没有有效的公共密钥,任何声称来自该域的邮件都应该被拒绝。This advises receiving email servers that there are no valid public keys for the domain, and any email claiming to be from that domain should be rejected. 应该为每个域和子域使用通配符DKIM来执行此操作。You should do this for each domain and subdomain using a wildcard DKIM.

例如,DKIM 记录将如下所示:For example, the DKIM record would look like this:

*._domainkey.SubDomainThatShouldntSendMail.contoso.com. TXT "v=DKIM1; p="

后续步骤:为 Microsoft 365 设置 DKIM 后Next steps: After you set up DKIM for Microsoft 365

尽管 DKIM 旨在帮助防止欺骗,但 DKIM 与 SPF 和 DMARC 协同工作效果更佳。Although DKIM is designed to help prevent spoofing, DKIM works better with SPF and DMARC. 设置了 DKIM 后,如果你尚未设置 SPF,则应执行此操作。Once you have set up DKIM, if you have not already set up SPF you should do so. 若要了解 SPF 的快速简介及其快速配置方法,请参阅在 Microsoft 365 中设置 SPF 以防欺骗For a quick introduction to SPF and to get it configured quickly, see Set up SPF in Microsoft 365 to help prevent spoofing. 若要更深入地了解 Microsoft 365 如何使用 SPF,或要了解故障排除或非标准部署(如混合部署),请从 Microsoft 365 如何使用发件人策略框架 (SPF) 以防欺骗入手。For a more in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing. 接下来,请参阅使用 DMARC 验证电子邮件Next, see Use DMARC to validate email. 反垃圾邮件邮件头包括 Microsoft 365 用来执行 DKIM 检查的语法和头字段。Anti-spam message headers includes the syntax and header fields used by Microsoft 365 for DKIM checks.