This post contains instructions on how to manually enable signing DKIM on Office 365. Eventually, all the contents of this blog post will move to a TechNet article that has details about how to do it using the UX or with Powershell. That functionality is not yet deployed as of Oct 8, 2015.
However, I get many requests about enabling DKIM signing in Office 365 and a number of our customers have done it. So, rather than having to keep typing it up in email responses, I’m typing up this blog post.
Here’s how to enable DKIM signing for your domain if it is hosted in Office 365 (Exchange Online Protection).
First, for each domain that needs to DKIM sign, you will need to publish two CNAMEs in DNS:
Host name: | selector1._domainkey |
Points to address or value: | selector1-<domainGUID>._domainkey.<initialDomain> |
TTL: | 3600 |
Host name: | selector2._domainkey |
Points to address or value: | selector2-<domainGUID>._domainkey.<initialDomain> |
TTL: | 3600 |
The <domainGUID> is the same as the <domainGUID> in the customized MX record for yourdomain that appears before mail.protection.outlook.com. For example, for a domain contoso.com:
contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com.
The <domainGUID> is contoso-com.
The <initialDomain> is the same one that you signed up with for Office 365. For example, contoso.com may have signed up with contoso.onmicrosoft.com. Therefore, the two CNAMEs that contoso.com would publish are the following:
Host name: | selector1._domainkey |
Points to address or value: | selector1-contoso-com._domainkey.contoso.onmicrosoft.com |
TTL: | 3600 |
Host name: | selector2._domainkey |
Points to address or value: | selector2-contoso-com._domainkey.contoso.onmicrosoft.com |
TTL: | 3600 |
You need to do this for each domain that you use to send email. DKIM signing does not inherit DKIM settings for other domains that you have provisioned for your organization.
For example, if your initial domain is contoso.onmicrosoft.com and you have provisioned contoso.com and fabrikam.com, you will need to provision 4 CNAMEs (two for each domain). The two CNAMEs are so that we can perform automatic DKIM key rotation for you.
Second, let us know when done and we will enable on the backend, you can request this by opening up a support ticket telling us which domains you want DKIM-signing for. We will then create the 1024-bit DKIM public keys and the associated private keys which we store internally.
When done, a DKIM-signed message will look like the following:
From: Example User example@contoso.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
s=selector1; d=contoso.com; t=1429912795;
h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=<body hash>;
b=<signed field>;
The DKIM-signed messages will align with DMARC (the d= domain will align with the 5322.From domain). This is even true for SMTP bounces where the MAIL FROM is <>.
You don’t need to set the size of the DKIM keys, nor rotate the keys (we do that for you). Once you set it, you can forget it.
And that’s it. As I say at the top of this post, this is only a short term solution and eventually it will all be self serve (that is, asking us to enable it for you will no longer be required, you still need to set up the CNAMEs).
Happy DKIM signing!