Manually hooking up DKIM signing in Office 365

Note: This content also appears on our official documentation here, Use DKIM to validate outbound email sent from your domain in Office 365.

Here’s how to enable DKIM signing for your domain if it is hosted in Office 365 (Exchange Online Protection).
What steps do I have to take to enable DKIM?

First, for each domain that needs to DKIM sign, you will need to publish two CNAMEs in DNS (not TXT records):

Host name:                  selector1._domainkey
Points to address or value: selector1-<domainGUID>._domainkey.<inititalDomain>
TTL:                        3600 

Host name:                  selector2._domainkey
Points to address or value: selector2-<domainGUID>._domainkey.<inititalDomain>
TTL:                        3600 

The <domainGUID> is the same as the <domainGUID> in the customized MX record for yourdomain that appears before mail.protection.outlook.com. For example, for a domain contoso.com:  

contoso.com.    3600  IN  MX   5 contoso-com.mail.protection.outlook.com.

The <domainGUID> is contoso-com.

The <initialDomain> is the same one that you signed up with for Office 365. For example, contoso.com may have signed up with contoso.onmicrosoft.com. Therefore, the two CNAMEs that contoso.com would publish are the following:

Host name:                  selector1._domainkey
Points to address or value: selector1-contoso-com._domainkey.contoso.onmicrosoft.com
TTL:                        3600

Host name:                  selector2._domainkey
Points to address or value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com
TTL:                        3600

In the above, the host name does not contain the full FQDN of the domain you are provisioning. You could explicitly include the full thing, that is, instead of Host name selector1._domainkey, you could put selector1._domainkey.<domain>.

For each other domain you have provisioned with Exchange Online, you will need to enable DKIM signing for it. 

For example, if your initial domain is contoso.onmicrosoft.com and you have provisioned contoso.com and fabrikam.com, you will need to provision 4 CNAMEs (two for each domain). The two CNAMEs are so that we can perform automatic DKIM key rotation for you.You need to do this for each domain that you use to send email. DKIM signing does not inherit DKIM settings for other domains that you have provisioned for your organization. For a company trying to DKIM-sign contoso.com and fabrikam.com, you'd have four additional DNS records that look like this:

selector1._domainkey.contoso.com IN CNAME selector1-contoso-com._domainkey.contoso.onmicrosoft.com
selector2._domainkey.contoso.com IN CNAME selector2-contoso-com._domainkey.contoso.onmicrosoft.com

selector1._domainkey.fabrikam.com IN CNAME selector1-fabrikam-com._domainkey.contoso.onmicrosoft.com
selector2._domainkey.fabrikam.com IN CNAME selector2-fabrikam-com._domainkey.contoso.onmicrosoft.com 

Do not set up TXT records; if you set up TXT records and not CNAME records you have done it incorrectly!

Second , you need to enable DKIM-signing for the domain within the service. You can do this in the UX by going to protection > dkim and clicking Enable for each domain you own: image

Alternatively, if you use Powershell, connect to Exchange Online using Powershell and then run the following cmdlet:

New-DkimSigningConfig –DomainName <domain> –Enabled $true

Or, let us know when done and we will enable on the backend, you can request this by opening up a support ticket telling us which domains you want DKIM-signing for. We will then create the 1024-bit DKIM public keys and the associated private keys which we store internally.

How do I know it worked?

In either case above, when done, a DKIM-signed message will look like the following:

From: Example User <example@contoso.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
s=selector1; d=contoso.com; t=1429912795;
    h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
    bh=<body hash>;
    b=<signed field>;

Or like this:

 From: Example User <example@contoso.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
    s=selector2; d=contoso.com;  t=1429912795;
    h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
    bh=<body hash>;
    b=<signed field>;

The DKIM-signed messages will align with DMARC (the d= domain will align with the 5322.From domain). This is even true for SMTP bounces where the MAIL FROM is <>.

To test it out, wait a few minutes for the newly enabled DKIM domains to replicate throughout the network, then send a message to another account such as your Outlook.com/Hotmail account, Yahoo account, Gmail account, or other account that you have access to. Open up the message and look at the message headers, looking for the Authentication-Results header. Each service stamps it a little differently, but it will say dkim=pass or dkim=ok or something similar.

If you send to an aol.com account, it may not work because AOL may skip the DKIM-check if the SPF-check passes and aligns with the domain in the From: address.

To test whether or not your DNS records or DKIM settings are properly configured, you can use this Powershell script to help you verify your DKIM config.

Can I set the DKIM key size?

You don’t need to set the size of the DKIM keys,

 

Do I have to rotate the keys?

No, you don't need to rotate the keys because we do that for you. Once you set it, you can forget it.
How do I add another domain for DKIM signing?

To DKIM sign another domain, you must go through the above steps for each of the domains you want to DKIM sign unless you want to have them signed with the default DKIM signature for your organization (see below on Disabling DKIM).

 

How do I troubleshoot delivery problems with DKIM?

There are some email receivers on the Internet that reject email due to a broken DKIM signature. A DKIM signature can break for multiple reasons:

a) If you have another mail server positioned after Office 365 that relays out to the Internet, it may modify the message content and cause the DKIM signature not to verify. If this occurs, you should ensure that Office 365 is the last service to relay out to the Internet, otherwise you may get some email bounces due to a broken DKIM signature.

b) Some messages get forwarded and modified in transit at the receiver side.

In cases like this, messages with failed DKIM signatures are not supposed to be bounced by the receiver, as per RFC 6376, section 6.1 and 6.2. If you continue to receive bounces, you should contact the recipient and inform them that rejecting on failed DKIM signatures is against the RFC because messages can be modified in transit, it is not malicious. In addition, you can ask them to locally allow your messages that are failing DKIM.
How do I disable DKIM signing?

To disable the DKIM signing policy, you need to use the following Powershell commands:

$p=Get-DkimSigningConfig –identity <domain>

$p[0] | set-DkimSigningConfig –enabled $false

OR

Set-DkimSigningConfig –identity $p[0].identity –enabled $false

Use $p[X] where X is the index of the policy.

However, this doesn't disable DKIM signing completely. Even if you don't enable DKIM, Office 365 will still (eventually) enable DKIM signing for your domain using the default signing configuration. Suppose that fabrikam.com was enabled by Office 365, not by the admin of the domain (so the required CNAMEs do not exist in DNS). DKIM signatures will look like the following:

From: Second Example <second.example@fabrikam.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
s=selector1-fabrikam-com; d=contoso.onmicrosoft.com; t=1429912795;
h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=<body hash>;
b=<signed field>;

In the example above, the selector and d= domain contain the values where the CNAME would point to had DKIM-signing for fabrikam.com been enabled by the customer. Eventually, every single message out of Office 365 will be DKIM-signed. If you enable DKIM yourself, the d= domain will align with the domain in the From: address; if not, it will not align and instead will have your organization's initial domain.

* * * * * * * * * * * * * * *

And that’s it. As I say at the top of this post, this is only a short term solution and eventually it will all be self serve (that is, asking us to enable it for you will no longer be required, you still need to set up the CNAMEs).

Happy DKIM signing!