DKIM, Centralized Transport and on premises MTAs

Iron Contributor

Hi community


My scenario is that I need to enable DKIM signing on my vanity domains within O365. However I have Centralized transport configured and email leaves via an on premises MTA.

I can enable the on prem MTA to do the DKIM signing but here are my questions:


1.) Will the existence of the DKIM signature generated by EOP be an issue i.e. 2 DKIM signatures in the mail.

2.) If the message body has been protected by AIP/DLP/RMS will the MTA be able to scan the message body to generate a hash to populate into the headers as per DKIM standards?

3.) Hypothetically would the MTA generate a hash of the message body and or attachments not caring if it can actually read the body or net? 


Would the best idea be to apply DKIM within EOP and let the on prem MTA process the mail outbound with no DKIM etc?


I'm suspect that the best place to do the DKIM is in O365 however I still have a limited number of mailboxes on premises. Removing the MTA on premises and routing out via EOP is not an option...


Anyone got any suggestions or ideas? I'm raising a fuss about nothing? 


0 Replies