DKIM (DomainKeys Identified Mail) is an email authentication method used to verify that the email messages you send are legitimate and have not been altered in transit
It uses cryptographic signatures to validate the sender's domain. Setting up DKIM for Office 365 helps improve email security and ensures better deliverability.
One or more private keys are generated for a domain and are used by the source email system to digitally sign important parts of outbound messages. These message parts include:
From, To, Subject, MIME-Version, Content-Type, Date, and other message header fields (depending on the source email system).
The message body.
The digital signature is stored in the DKIM-Signature header field in the message header and remains valid as long as intermediate email systems don't modify the signed parts of the message. The signing domain is identified by the d= value in the DKIM-Signature header field.
The corresponding public keys are stored in DNS records for the signing domain (CNAME records in Microsoft 365; other email systems might use TXT records).
Destination email systems use the d= value in the DKIM-Signature header field to:
Identify the signing domain.
Look up the public key in the DKIM DNS record for the domain.
Use the public key in the DKIM DNS record for the domain to verify the message signature.
The domain that's used to DKIM sign the message isn't required to match the domain in the MAIL FROM or From addresses in the message.
A message can have multiple DKIM signatures by different domains. In fact, many hosted email services sign the message using the service domain, and then sign the message again using the customer domain after the customer configures DKIM signing for the domain.
If you use only the Microsoft Online Email Routing Address (MOERA) domain for email (for example, contoso.onmicrosoft.com): You don't need to do anything. Microsoft automatically creates a 2048-bit public-private key pair from your initial *.onmicrosoft.com domain. Outbound messages are automatically DKIM signed using the private key. The public key is published in a DNS record so destination email systems can verify the DKIM signature of messages.
If you use one or more custom domains for email (for example, contoso.com): Even though all outbound mail from Microsoft 365 is automatically signed by the MOERA domain, you still have more work to do for maximum email protection:
Configure DKIM signing using custom domains or subdomains: A message needs to be DKIM signed by the domain in the From address. We also recommend configuring DMARC, and DKIM passes DMARC validation only if the domain that DKIM signed the message and the domain in the From address align.
Each subdomain that you use to send email from Microsoft 365 requires its own DKIM configuration.
Steps to Set Up DKIM for Office 365
Step 1: Enable DKIM in Microsoft 365
Log in to the Microsoft 365 Admin Center:
Go to admin.microsoft.com and log in with your admin credentials.
Navigate to the Security & Compliance Center:
In the Microsoft 365 admin center, go to the Security section (or search for "Security & Compliance Center" in the admin center).
Access DKIM Settings:
In the Security & Compliance Center, go to Email & Collaboration > Policies > DKIM.
Select Your Domain:
You’ll see a list of domains associated with your Microsoft 365 account.
Select the domain for which you want to enable DKIM.
Enable DKIM:
Click on Enable. This will generate the necessary DKIM records in your DNS for the domain.
Note: It might take up to 24 hours for DNS records to propagate, so DKIM may not immediately start working after enabling it.
Step 2: Add DKIM DNS Records to Your DNS Host
Once you enable DKIM in Microsoft 365, you'll need to add two CNAME records (DNS records) for DKIM to work correctly. Microsoft 365 will provide the exact values for these CNAME records.
Login to your DNS provider:
This is usually where your domain is hosted (e.g., GoDaddy, Cloudflare, etc.).
Add the DKIM CNAME Records: Microsoft 365 will generate two CNAME records that you need to add to your DNS settings.
The typical DKIM CNAME records will look like this:
Hostname: selector1._domainkey
Points to address or value: selector1-<CustomDomain>._domainkey.<InitialDomain>
Hostname: selector2._domainkey
Points to address or value: selector2-<CustomDomain>._domainkey.<InitialDomain>
Name: selector1._domainkey.b2ksoftech.com
Type: CNAME
Value: selector1-b2ksoftech-com._domainkey.b2ksoftech.onmicrosoft.com
Name: selector2._domainkey.b2ksoftech.com
Type: CNAME
Value: selector2-b2ksoftech-com._domainkey.b2ksoftech.onmicrosoft.com
Name: The "Name" will be something like selector1._domainkey.yourdomain.com
Type: This will be CNAME.
Value: The value will be a unique value provided by Microsoft for your domain, typically something like selector1-yourdomain-com._domainkey.yourdomain.onmicrosoft.com.
Save Changes:
Once you've added these CNAME records, save the changes.
Wait for DNS Propagation:
It may take up to 24 hours for DNS changes to propagate globally.
Step 3: Verify DKIM Is Working
Go back to Microsoft 365 Admin Center:
Return to the DKIM page in the Security & Compliance Center.
Select your domain and check if DKIM is successfully enabled.
Send a Test Email:
After the DNS records have propagated, send an email from your domain to an external email address (like Gmail).
In Gmail, open the email, click the three dots (More), and select Show Original.
DKIM: pass
This indicates that DKIM is successfully applied.
Two selectors: Microsoft 365 uses two selectors (selector1 and selector2) for DKIM, which allows you to rotate or update your DKIM keys without disrupting email authentication.
Key rotation: Microsoft rotates the DKIM keys regularly, which is a good practice for security. The CNAME records you add will automatically update to reflect the new key pairs, so no manual intervention is required.
DMARC: DKIM works well with DMARC (Domain-based Message Authentication, Reporting & Conformance) to provide a more robust email security system. After setting up DKIM, you may also want to configure a DMARC policy to further protect your domain.
SPF and DKIM: It's highly recommended to use both SPF (Sender Policy Framework) and DKIM together for the best email authentication and to reduce the chances of your emails being flagged as spam or spoofed.
By enabling DKIM in Office 365, you ensure that your outgoing emails are more secure and that recipients can verify they come from a trusted source.
إرسال تعليق