Outbound DKIM in Office 365


DKIM outbound signing it’s finally here. And better than that, you can enable it manually for your tenant.

What you will need to do is to first publish two CNAMEs (per domain) as follows:

Host name:

selector1._domainkey

Points to address or value:

selector1-<domainGUID>._domainkey.<initialDomain>

TTL:

3600

 Host name:

selector2._domainkey

Points to address or value:

selector2-<domainGUID>._domainkey.<initialDomain>

TTL:

3600

 You will have to replace <domainGUID> with the actual domain that you want DKIM enabled for and <initialDomain> with the onmicrosoft.com domain that you have setup your Office 365 tenant.

In case you have a domain named contoso.com added as a vanity domain in your Office 365 tenant, you will have to publish the following CNAME records:

Host name:

selector1._domainkey

Points to address or value:

selector1-contoso-com._domainkey.contoso.onmicrosoft.com

TTL:

3600

 

Host name:

selector2._domainkey

Points to address or value:

selector2-contoso-com._domainkey.contoso.onmicrosoft.com

TTL:

3600

 

Please remember that you will have to perform this for each domain (that needs outbound signing) that you are hosting in Office 365.

Next, you will also need to enable DKIM-signing for this domain within Office 365. How to perform this? Simple! By using the following PowerShell command:

New-DkimSigningConfig –DomainName <domainGUID> –Enabled $true

Again, you will have to replace <domainGUID> with the actual domain that you are enabling DKIM for.

In case of contoso.com:

New-DkimSigningConfig –DomainName contoso.com –Enabled $true

We are currently working on the TechNet article that will explain this in detail, but until then, you can enable Outbound DKIM signing on your own.

NOTE: You will have to wait for the CNAME records to get propagated correctly before running the PS command, otherwise you will get the following message:

CNAME record does not exist for this config. Please publish a CNAME record first.

After your CNAMEs will be published and replicated over the DNS, you can use the following command:

Set-DkimSigningConfig -Identity <domainGUID> -enabled $true

If you are not sure how to create your CNAME records, you can first run the first PS command:

 New-DkimSigningConfig –DomainName <domainGUID> –Enabled $true

Then run:

Get-DkimSigningConfig |fl *selector*

From this output you can get the values from Selector1CNAME and Selector2CNAME. Those are the values that you should use in your CNAME records.

You don’t need to worry about setting the size of the DKIM key(s) or even change the keys since these things will be managed by us.


Comments (28)

  1. ktaber says:

    So for the Set-DkimSigningConfig or New-DkimSigningConfig portions of the command it would be like this, correct?

    Set-DkimSigningConfig -Identity contoso.com -Enabled $true

    I was confused on vs .

  2. ktaber says:

    I was confused on domain vs domainGUID

  3. Yes, the string is correct.
    is actually the vanity domain added in O365 that you want to enable DKIM for.
    The only thing to take care of, is to use the correct initial domain (ie: contoso.onmicrosoft.com) in the CNAME record.

  4. BlueBlue says:

    So… I’m guessing I need to enter the PowerShell commands on the Exchange server? What if I have Exchange Online?

  5. You will have to use this in Exchange Online. The article is for DKIM outbound signing for Office 365 hosted mailboxes.

  6. ali says:

    Thanks for sharing this Caltaru đŸ™‚
    Finally Microsoft has implemented this

    I created new CNAME records but I can’t verify my DKIM records from online tools (such as this:
    http://dkimcore.org/c/keycheck )

    It complains because it’s not a TXT record. Has anyone successfully implemented this?

    If so, can you verify your records?

  7. @Ali
    One of the differences of implementing DKIM in O365 is that instead of publishing the public key in your DNS zone, we require you to publish the two CNAMEs. Why this way? So that you will not have to administrate any of this later on: set-and-forget!
    So, by publishing the CNAME in your zone, you delegate your namespace to Office 365. We will do all the work regarding signing and key rotation (this is why you actually need two CNAMEs).

  8. jro42 says:

    Is it possible to perform outbound DKIM signing via EOP using a Hybrid deployment of Exchange?

  9. @jro42
    In case the message is sent from a hosted mailbox, yes. In case the mailbox is onpremises, it will have to get it signed with a DKIM solution installed onpremises. You will also need to publish the public key in your DNS as well, so that the correct selector
    will be used when DKIM is verified.

  10. jan says:

    I tried this: New-DkimSigningConfig –DomainName domain.com –Enabled $true -KeySize 2048
    But it failed with: Error publishing public-key TXT record. Please publish TXT record manually from DKIM signing config.
    I guess the key was too long for the system to handle…
    The key was created but not published in the onmicrosoft.com domain. I could publish it in my own domain, but then it is not set-and-forget.
    How do I remove the key and redo it?
    There’s no Remove-DkimSigningConfig.

  11. @Jan
    As explained in the article, there is no need to set the size of the key. The selector key size is set at 1024.
    So you can use the Set-DkimSigningConfig to change that.
    For the moment, the service allows customers to enable DKIM Signing for vanity domains by adding the CNAME in your DNS zone. In the future, it will probably be for onmicrosoft.com domains as well.
    And it is set-and-forget, since you only have to first publish the CNAME records and second to enable this in the service.

    We will handle the rest (changing keys and setting the size).

  12. jan says:

    Can I use Set-DkimSigningConfig to change key size? How?
    As far as I can se, it doesn’t have a KeySize argument.

  13. @Jan
    You can use the set command to try disabling and then enabling it again. Set-DkimSigningConfig -Enabled $false / $true
    If the value for Selector1KeySize and Selector2KeySize is still 2048, I think the best approach will be to open an SR for us to be able to change it manually in the backend.

  14. Nitin says:

    Hi There,

    I have 2 domains registered with GoDaddy.

    Emails hosted on Office365 for both.

    I have successfully enabled the DKIM Signing for 1 domain but when I try creating another CName record by the name "selector1._domainkey", GoDaddy says it is already created.

    How to achieve that, kindly help.

  15. @Nitin
    Please make sure you have both CNAMEs in the following form:

    selector1-contoso-com._domainkey.contoso.onmicrosoft.com
    selector2-contoso-com._domainkey.contoso.onmicrosoft.com

    Where you should replace contoso-com with your own domain and contoso.onmicrosoft.com with the initial domain on your tenant.

    If the error still comes up, please make sure you don’t have other records in your DNS zone.

  16. anonymouscommenter says:

    Hello!
    Thought about a post that will sum up the important security improvements that we – as Office

  17. James Skimming says:

    Hi I’m trying to enable this on my vanity domains. It seems sine you posted this it as has been added to the Office 365 Exchange admin portal.

    I’ve published the CNAMES (we manage our own DNS) as you have indicated, but when I try to enable DKIM on the vanity domains, I receive the message:

    ‘CNAME record does not exist for this config. Please publish a CNAME record first.’

    I’ve tried via PowerShall with the same result.

    In the Exchange admin portal there’s a link to ‘Learn more’, but it unfortunately ends up on a 404 (see below)

    https://technet.microsoft.com/en-US/library/ms.exch.eac.DKIMDisabled(EXCHG.150).aspx?v=15.1.361.1&l=1&s=BPOS_S_E15_0_Slim

    What’s the current state of this feature? Should I be able to enable this in the portal, and why does the ‘Learn more’ link go to a 404?

  18. Andre says:

    Hello,
    HOpe you can help. The error message I get from powershell is that the CNAMe record does not exist.

    This might be because in my domain name I use a ‘-‘. Let say my domain is abc.com what is then my domainGUID. Maybe a stupid answer, but I appreciate your answer.

    Andre

  19. Andre says:

    I forgot something in my last posting. Let’s say my domain is a-bc.com

  20. Chris says:

    Cant add the CNAME record in network solutions. This is what i get get as an error.

    Alias contains invalid characters. Only alphanumeric and -.* are allowed.
    Other Host name contains invalid characters. Only alphanumeric and .- are allowed

    1. IT_daddy says:

      @Chris
      How did you resolve this with Network Solutions? I have a call into them and it’s been escalated to the “engineering” team but I have several domains and am hoping someone found another solution. It may be time to move the domains to another service provider.

      1. Jeff says:

        Same problem w/ Network Solutions. Did this ever get resolved?

  21. jerry says:

    Hi,

    It is a good article indeed before official tech-note published.
    Question : Will the same work for just EOP customers? We yet to move mailboxes to Exchange Online.

  22. @Jerry: Yes, DKIM will work for EOP Stand Alone customers as well.

    @chris: the issue with CNAME records not accepting non-alphanumeric characters should be addressed with the DNS provider. I was able to create mine without issues on GoDaddy and with other DNS providers as well.

    @Andre: You can get the exact string that you will need to publish by running the following cmdlet:
    Get-DkimSigningConfig | fl *cname

    @James Skimming: You should be able to use the same command as above and check if it matches with what you’ve published through the CNAMEs. If you still get the same, you can also try to disable and enable back the DKIM policy on your vanity domain.
    In case the error still persists, please open a Service Request with us. You can mention my name in the description and I will make sure we’re covering this as best as possible.

  23. Dave Catherall says:

    Hi,
    I have on-premise Exchange 2010 and hosted EOP. Do I require an on-premise DKIM solution or can I use it in EOP? Sorry if this has been answered already, I notice that one previous answer states on-premise but a newer one states it can be used with EOP. I just
    need clarification on which way to go. Many Thanks!

  24. @Dave Catherall:
    You can do both actually. It will be much easier for you to use EOP for DKIM signing, but in case you would like to manage them from onprem, you can use a DKIM onprem solution instead.

    1. Brian Lewis says:

      We have an Exchange 2010 onsite setup but we flow all our mail through Exhange online Protection. So, can you confirm what was said above. If I’m sending my mail from onsite to Eop to the recipient, can I just setup and use Dkim on EOP. I have already done so and tested, but while some tests seem to show a Dkim cert, the authentication header seems to say Dkim=none

      1. Hey Brian,
        yes, I can confirm that this is currently working. Please check the policy and make sure that the policy is correctly applied.
        You can use this script to make sure everything is in order: https://github.com/carlnolan/scripting/blob/master/Validate-DkimConfig.ps1
        Let me know how it works.

Skip to main content