DKIM

Status
Not open for further replies.

CWM030

Senior Member
Outlook version
Outlook 2016 32 bit
Email Account
Office 365 Exchange
Follow up:

I have made the switch to EXCHANGE... But, I cannot find any place in the O365 documentation to set up DKIM / DMARC?

What do I need to do to set that up?

Thanks,
Chris
 
i thought they had some info at office 365 for that... will need to look for it.

The TechNet info is here:
Use DKIM to validate outbound email sent from your custom domain in Office 365: Exchange Online Help
Use DMARC to validate email in Office 365: Exchange Online Help


According to the bookmark at Use DKIM to validate outbound email sent from your custom domain in Office 365: Exchange Online Help, if you dont set up a custom DKIM, they have a default policy so the messages appear dkim-signed.

If you do not enable DKIM, Office 365 automatically creates a 1024-bit DKIM public key for your custom domain and the associated private key which we store internally in our datacenter. By default, Office 365 uses a default signing configuration for domains that do not have a policy in place. This means that if you do not set up DKIM yourself, Office 365 will use its default policy and keys it creates in order to enable DKIM for your domain.
 
Oh wow, first time i've never had to set up a DKIM, SPF , DMARC record.

Awesome that I don't have to go through the stress of setting that stuff up.
 
It's actually not hard to do - I'm working an article for my website on it.
 
It's actually not hard to do - I'm working an article for my website on it.


Ahh, Do you think I need to set it?? Or only having 1 domain i'm okay without it?

Thanks,
Chris
 
I think you are fine - even with multiple, it should be fine.

To test it, send an email to an outlook.com address (probably works to gmail and others, but not aol) and look at the headers. If you are happy with the format, don't worry about it.


This is from my tenant with several domains - i didn't set up records for this domain and the header shows this for the DKIM:
Code:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mytenant.onmicrosoft.com; s=selector1-mydomain-net;
h=From:Date:Subject:Message-ID:Contenanttent-Type:MIME-Version;
bh={hash code}; b={signed field}


I set up a custom DKIM record for it (to verify the steps works) and now the DKIM in the header looks like this:
Code:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= mydomain-net;
s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh={hash code}; b={signed field}


For DKIM, you need 2 records - i use godaddy for dns and used these values:
CNAME is selector1._domainkey
Points to selector1-mydomain-net._domainkey.mytenant.onmicrosoft.com

Create a second set using selector2 instead of selector1.

If the value isn't correct, when you try to enable it, office 365 will give you the correct value to use.

I got this back from powershell (the web interface method will also show it, but its harder to copy)
Code:
PS D:\Documents\WindowsPowerShell> New-DkimSigningConfig -DomainName outlook-tips.net -Enabled $true
WARNING: The config was created but can't be enabled because the CNAME records aren't published. Publish the following
two CNAME records, and then enable the config by using Set-DkimSigningConfig.
selector1-outlooktips-net01i._domainkey.Cdolive.onmicrosoft.com
selector2-outlooktips-net01i._domainkey.Cdolive.onmicrosoft.com

DMARC is one text record:
_dmarc
v=DMARC1; p=quarantine

The recommendadtion is to use p=none to test, but if you aren't using 3rd party mailing services, quarantine is probably ok.
 
oh okay...

I just sent an email to my MSN.com address and this is what I see:
=======================================================
Received: from BY2NAM01HT213.eop-nam01.prod.protection.outlook.com
(2603:10b6:803:22::21) by SN2PR19MB0863.namprd19.prod.outlook.com with HTTPS
via SN4PR0501CA0083.NAMPRD05.PROD.OUTLOOK.COM; Thu, 26 Apr 2018 20:17:09
+0000
Received: from BY2NAM01FT061.eop-nam01.prod.protection.outlook.com
(10.152.68.59) by BY2NAM01HT213.eop-nam01.prod.protection.outlook.com
(10.152.68.126) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.696.11; Thu, 26
Apr 2018 20:17:07 +0000
Authentication-Results: spf=pass (sender IP is 104.47.32.106)
smtp.mailfrom=CWM030.COM; msn.com; dkim=none (message not signed)
header.d=none;msn.com; dmarc=bestguesspass action=none
header.from=CWM030.COM;
Received-SPF: Pass (protection.outlook.com: domain of CWM030.COM designates
104.47.32.106 as permitted sender) receiver=protection.outlook.com;

client-ip=104.47.32.106; helo=NAM01-SN1-obe.outbound.protection.outlook.com;
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (104.47.32.106)
by BY2NAM01FT061.mail.protection.outlook.com (10.152.68.251) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.696.11 via
Frontend Transport; Thu, 26 Apr 2018 20:17:07 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:9FA657494D32D1D8357333D46EB9CCDC5ED8194CCB2C2AC712F50FB2AF847EB6;UpperCasedChecksum:79F9A44A7E04E42EA7A5D9F844022A2782240E098264853785FB3F628E0CBDFF;SizeAsReceived:4900;Count:38
Received: from MWHPR2201MB1245.namprd22.prod.outlook.com (10.174.162.9) by
MWHPR2201MB1341.namprd22.prod.outlook.com (10.174.162.144) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.696.13; Thu, 26
Apr 2018 20:17:04 +0000
Received: from MWHPR2201MB1245.namprd22.prod.outlook.com
([fe80::b19a:f81c:c26f:b37]) by MWHPR2201MB1245.namprd22.prod.outlook.com
([fe80::b19a:f81c:c26f:b37%13]) with mapi id 15.20.0715.018; Thu, 26 Apr 2018
20:17:04 +0000

Subject: testing headers
 
Last edited by a moderator:
That definitely doesn't match what the article says... almost makes me want to set up a trial tenant to test it with a new tenant.

I have a second tenant for personal mail and have not set up DKIM or DMARC (but it does have at least 2 domains). Messages sent to gmail (the show original option shows the basics at the top)

SPF: PASS with IP 104.47.33.66
DKIM: 'PASS' with domain CDOLiveLLC.onmicrosoft.com


The raw header has the following- i also sent one to an outlook.com account, it is the same but with outlook.com instead of google menyioned in the header. :) Outlook.com adds a best guess on dmarc though: dmarc=bestguesspass action=none header.from=poremsky.com;


Code:
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@CDOLiveLLC.onmicrosoft.com header.s=selector1-poremsky-com header.b=mNv4Yc/t;
       spf=pass (google.com: domain of {me}@poremsky.com designates 104.47.33.66 as permitted sender) smtp.mailfrom={me}@poremsky.com
--snip--
Received-SPF: pass (google.com: domain of {me}@poremsky.com designates 104.47.33.66 as permitted sender) client-ip=104.47.33.66;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@CDOLiveLLC.onmicrosoft.com header.s=selector1-poremsky-com header.b=mNv4Yc/t;
       spf=pass (google.com: domain of {me}@poremsky.com designates 104.47.33.66 as permitted sender) smtp.mailfrom={me}@poremsky.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=CDOLiveLLC.onmicrosoft.com; s=selector1-poremsky-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh={hash}=; b={signature}
 
Oh boy.... What do I need to do?
 
Who hosts your DNS records? I'm assuming if Microsoft does, that they set this up, but i don't use them so i cant say for sure. (And i don't think you can edit the DNS records if they are the nameserver) (if the domain in the header above is correct, Microsoft is the nameserver.)

Go to Sign in to your account - click Admin center at the bottom, choose Exchange. Find DKIM link (its under protection) - select the domain and click Enable on the right.

Do you get an error message like this?

2018-04-26_20-56-40.png
 
Dreamhost host's the domain.

No error....


Untitled.png
 
Are you sure DNS is at dreamhost? According to this, MS is handling it: Network Tools: DNS,IP,Email

I'm not exactly sure where you'll see the name servers at Sign in to your account - but go there and look around. Maybe select the domain, then click Check DNS - that is where i se this for my domains:
Add the DNS records for me (recommended)
Since GoDaddy is your DNS hosting provider, all you have to do is sign in and we'll update your DNS records.
 
Are you sure DNS is at dreamhost? According to this, MS is handling it: Network Tools: DNS,IP,Email

I'm not exactly sure where you'll see the name servers at Sign in to your account - but go there and look around. Maybe select the domain, then click Check DNS - that is where i se this for my domains:
Add the DNS records for me (recommended)
Since GoDaddy is your DNS hosting provider, all you have to do is sign in and we'll update your DNS records.


Okay that I did change... I had set up the CNAME servers through dreamhost's DNS configuration page....

That was one of the setups pages I had to go through when setting up O365.


Untitled.png
 
Did you set up all of the office 365 records in dreamhost DNS?
 
BTW, the Export button will export a zone file - hopefully you can import it rather than type everything.
 
BTW, the Export button will export a zone file - hopefully you can import it rather than type everything.

I unfortunately had to type everything in. =[ ... More like just copy and paste lol..

1.png


2.png




3.png
 
Is everything correct in that screenshot? ^^^^^
 
I am kinda really frustrated....

I don't know where what goes in which box, due to dreamhost already having ______.cwm030.com line provided.

( Picture attached )

1.png
 
Status
Not open for further replies.
Back
Top