An update on DKIM-on-IPv4 and DMARC in Office 365

If you’re wondering when Office 365 is going to release inbound validation for DKIM-on-IPv4 and DMARC support, I have an update for you.

  1. We are currently evaluating DKIM-on-IPv4 everywhere in the service but are fixing the remaining bugs

    Today, we stamp the DKIM results in a temporary header, X-DkimResult (or X-DkimResult-Test), but eventually we will stamp it in the Authentication-Results header. For example, if the signing domain in the d= field in the DKIM-Signature header is

    Authentication-Results: spf=pass (sender IP is;; dkim=pass (signature
      was verified);

    The temporary header does show the DKIM evaluation but we found that there were problems when the Exchange mail server was modifying (formatting) message content. We have addressing the remaining corner cases as we find them and have driven down the number of DKIM failures that weren’t really failures but instead were caused by Content Transformation (an agent in Exchange that formats messages).

    I have some rules in my personal tenant that look for DKIM failures based upon that temporary header and I can confirm that they have decreased dramatically.

  2. We have to fix a bug with the Authentication-Results stamping

    We have a bug where the Authentication-Results header is being overwritten; it’s stamped but then stripped and stamped again but the DKIM result is not included (this is due to some infrastructure in the spam filter that we are replacing). We need to fix that because stamping the results of DKIM in clear text is important.

  3. Even after we release DKIM, there will still be some problems if downstream mail servers try to re-authenticate

    As I mention above, the Exchange mail server formats message content. We evaluate DKIM before the content has been transformed, but the email is recreated and passed to the mailbox storage (or passed to another outbound connector) after the message has been transformed. We have to fix that but it won’t be done before we release DKIM. This issue occurs on all versions of on-premise Exchange except Exchange 2013 that has the latest updates.

  4. There’s a problem with DMARC where customers whose primary MX records do not point to Exchange Online Protection (EOP) generate DMARC failures

    This is described in point #3 in my blog post How to use DMARC in Office 365. Basically, we were seeing DMARC failures and it didn’t make sense, but upon troubleshooting we noticed it is because customers sometimes route email through themselves first which can break DMARC under certain circumstances.

    We are working on a solution for this.

We are aiming to release DKIM-on-IPv4 and DMARC in Q1 of 2015, but the above describes where we are right now.

Comments (7)
  1. DKIM-on-IPv4 and DMARC says:

    I think you are right because I already face many problems like this and I did not understand what is the right solution of this and continuously that problems disturb me regularly i think full to you for resolve my problem.

  2. Brandon says:

    What about an update on DKIM signing?

  3. Terry Zink says:

    @Brandon – I don't have an update on outbound DKIM signing other than it is on our roadmap.

  4. Anonymous says:

    In digital signature schemes, there are two algorithms: one for signing, in which a secret key is used to process the message (or a hash of the message, or both), and one for verification, in which the matching public key is used with the message to check the validity of the signature.

  5. Kevin Taber says:

    Terry, any update on outbound DKIM signing yet?

  6. Dav says:

    We've seen an increasing number of emails being bounced from our Sophos Email Appliance as emails from certain domains are failing DKIM verification. When checking headers, DKIM is enabled (though the sender doesn't normally realise this) and they're going through some server.

    It's causing if many headaches

Comments are closed.

Skip to main content