Forum Discussion

Eric Rintell's avatar
Eric Rintell
Copper Contributor
Nov 08, 2024

DMarc/DKIM Issues

I have enabled DKIM in Microsoft 365, and according to Microsoft 365 Defender page, it is enabled and valid for my Exchange domains.

I have created a TXT _dmarc record:

v=DMARC1; p=quarantine; pct=100; rua=mailto:email address removed for privacy reasons; ruf=email address removed for privacy reasons

 

Yet I keep receiving problem reports like the one below.  How can I fix this?

<feedback xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<version>1.0</version>
<report_metadata>
<org_name>Enterprise Outlook</org_name>
<email>email address removed for privacy reasons</email>
<report_id>640f326a62f640e4815e84e6f0020d9c</report_id>
<date_range>
<begin>1730764800</begin>
<end>1730851200</end>
</date_range>
</report_metadata>
<policy_published>
<domain>z.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
<fo>0</fo>
</policy_published>
<record>
<row>
<source_ip>40.107.96.92</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<envelope_to>b.n</envelope_to>
<envelope_from>z.com</envelope_from>
<header_from>z.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>onmicrosoft.com</domain>
<selector>-onmicrosoft-com</selector>
<result>fail</result>
</dkim>
<spf>
<domain>z.com</domain>
<scope>mfrom</scope>
<result>none</result>
</spf>
</auth_results>
</record>
</feedback>

exchange online
office 365

1 Reply

Sort By
  • MarissaMa's avatar
    MarissaMa
    Iron Contributor
    Apr 23, 2025

    1. Verify the current configuration
    powershell
    Get-DkimSigningConfig -Identity yourdomain.com | FL Enabled,Selector1,Selector2
    Normal state: Enabled = True and at least one Selector is valid.

    2. Fix DKIM Signing
    powershell.
    # Enable DKIM
    Set-DkimSigningConfig -Identity yourdomain.com -Enabled $true -Selector1 “selector1”  
    You need to add the corresponding CNAME record in DNS (e.g. selector1._domainkey.yourdomain.com).

    3. Adjust DMARC policy
    Modify the DMARC record in DNS as:

    text
    _dmarc.yourdomain.com. IN TXT “v=DMARC1; p=none; sp=none; rua=mailto:email address removed for privacy reasons”
    Production environments are advised to eventually change to p=quarantine or p=reject.

    4. Verify the fix
    powershell
    Test-EmailAutoConfiguration -Identity email address removed for privacy reasons -Protocol DMARC,DKIM
    Check if the returned result contains Status=Pass.

Resources