SOLVED

Clarification Needed: SPF/DKIM/DMARC Enforcement for Gmail/Yahoo Domains and Resolution for Exchange

Iron Contributor

Hi,

I'm seeking clarification regarding recent posts from Gmail/Yahoo regarding SPF/DKIM/DMARC requirements for sending domains, particularly in two categories: less than 5000 messages/day and more than 5000 messages/day. I would like to know the deadline for this enforcement and how it works for messages exceeding the 5000 threshold. Will the first 5000 messages be delivered, followed by rejection of subsequent messages over the threshold?

I require comprehensive details on this matter. Additionally, I am seeking resolution guidance for Exchange Hybrid environments. In our setup, Exchange On-Premises server delivers internal mail to Exchange Online via a separate connector. External emails for internal users are delivered directly from Exchange to the internet, bypassing Office 365.

Could you please suggest the best solution for this scenario along with the deadline for implementation?

Looking forward to your insights and assistance.

Thank you.

1 Reply
best response confirmed by janakkhadka (Iron Contributor)
Solution

Hello,

After conducting extensive research and exploring multiple options, I’ve found a potential resolution for this issue. Here are the key points:

  1. Exchange Hybrid Environment with Microsoft 365 Routing: If you’re using the Exchange Hybrid environment and all outgoing emails are routed through Microsoft 365, enabling the DKIM features in Microsoft 365 should resolve the problem. It will send the emails to the internet by signing the email with its DKIM. Microsoft 365 has the DKIM enabled on the onmicrosoft.com domain by default. For safety, consider enabling it for the custom domain as well. This will provide you with two CNAME records which will point to the original DKIM record (TXT record) of the onmicrosoft.com domain.

  2. Exchange Hybrid Domain with Direct Internet Routing: If you’re using the Exchange Hybrid domain, but the routing of emails from the Exchange Server to the Internet bypasses the Microsoft 365 path, then you need to implement a DKIM solution either on your Email security gateway (if you’re using one) or install any DKIM solution on the Exchange Server. Enabling DKIM in Microsoft 365 only signs the email from users for Microsoft 365 users.

  3. Exchange On-Prem Environment: If your organization only has an Exchange On-Prem environment, then you will need a DKIM solution installed on the exchange server, or your Email security gateway must have the DKIM feature if you have a gateway.

I hope this information is helpful and addresses your query. If you have further questions or need additional clarification, please don’t hesitate to ask.

1 best response

Accepted Solutions
best response confirmed by janakkhadka (Iron Contributor)
Solution

Hello,

After conducting extensive research and exploring multiple options, I’ve found a potential resolution for this issue. Here are the key points:

  1. Exchange Hybrid Environment with Microsoft 365 Routing: If you’re using the Exchange Hybrid environment and all outgoing emails are routed through Microsoft 365, enabling the DKIM features in Microsoft 365 should resolve the problem. It will send the emails to the internet by signing the email with its DKIM. Microsoft 365 has the DKIM enabled on the onmicrosoft.com domain by default. For safety, consider enabling it for the custom domain as well. This will provide you with two CNAME records which will point to the original DKIM record (TXT record) of the onmicrosoft.com domain.

  2. Exchange Hybrid Domain with Direct Internet Routing: If you’re using the Exchange Hybrid domain, but the routing of emails from the Exchange Server to the Internet bypasses the Microsoft 365 path, then you need to implement a DKIM solution either on your Email security gateway (if you’re using one) or install any DKIM solution on the Exchange Server. Enabling DKIM in Microsoft 365 only signs the email from users for Microsoft 365 users.

  3. Exchange On-Prem Environment: If your organization only has an Exchange On-Prem environment, then you will need a DKIM solution installed on the exchange server, or your Email security gateway must have the DKIM feature if you have a gateway.

I hope this information is helpful and addresses your query. If you have further questions or need additional clarification, please don’t hesitate to ask.

View solution in original post